Hi Amos Thanks for the response. The explenation was excellent. The firewall in my case is an Aruba wireless controller. It has a web interface that does not have a "route only" option. I will have to see if I can do it from the console on the controller. I will post back when I get it working. -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: 04 April 2013 04:56 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: RE: Squid 3.3 WARNING: Forwarding loop detected for: On 4/04/2013 3:16 a.m., Ewan Sadie wrote: > I am new to iptables so I tried the following. > I changed the listning port on the proxy to 3127, so that I do not need to change the DNAT on the router. > The router does a DNAT to 3128. What you have done: Router receives a packet saying: client 192.168.0.2 connnect to website 1.2.3.4:80 router NAT removes 1.2.3.4:80 and adds 192.168.0.1:3128 Squid box receives a packet saying: client 192.168.0.1 connect to website 192.168.0.1:3128 Squid box NAT removes 192.168.0.1:3128 and adds 192.168.0.1:3127 Squid receives packet saying: client 192.168.0.1 connect to website 192.168.0.1:3127 the box NAT system informs Squid the packet destination was originally 192.168.0.1:3128 ... there is a result. NAT is working perfectly fine *on the Squid box*. So failure warnings do not appear. But where does Squid connect? The HTTP Host: header cannot be trusted much in interception mode (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0801). Squid-3.2 and later will verify that 192.168.0.2:3128 IP address NAT delivered belongs to the Host: header domain before allowing the Host: header to be used. When it fails (as it will fail 100% on your system) Squid will be transparent and pass the request on t the same place the cleint was connection. On your system Squid is transparently relaying the intercepted traffic to the web server it is being told exists at 192.168.0.1:3128. Routers need to *route* the port 80 traffic to the Squid box *without* using NAT. Amos > I then ran the following command on the Squid server, iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 3127 > > I now do not see the forward loop errors any more but I do get TCP_MISS/503 > I can still browse vie the proxy by connecting to port 8080 so I know there is no rules blocking me. > The fact the I get results in the access.log indicates to me that the redirection is happening. > > > > > -----Original Message----- > From: Ewan Sadie > > > Hi All > > Did the handling of intercept change since Squid 3.2.x? > Based on this article http://myconfigure.blogspot.com/2013/03/transparent-squid-332-on-ubuntu-1210.html, it seems that you have to do a rediect on the Squid box itself as well as on the router. > Is this the case? I do not want to over complicate the setup with an aditional firewall as well. Switch "as well as" for "istead of" and you will have the right idea. Amos
