On 30/11/2013 10:26 a.m., Monah Baki wrote: > Hi all, > > > I'm trying to setup a transparent proxy squid 3.3.9 using the following URL: > > > http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/ > > What's the difference between > > http_port 3128 transparent The above expects all arriving traffic to be in HTTP port 80 origin server format. Used for receving intercept-proxy traffic. Also, the TCP level details are assumed to have passed through some form of NAT system and need to be un-NAT'd before use. In Squid since 3.2 if the original TCP details are not found in the NAT records some restrictions are placed on what happens with the request and response. > and > http_port 3128 > This one expects all arriving traffic to be an HTTP proxy format. Used for receiving forward-proxy traffic. > > If I where to configure with http_port 3128 transparent and restart > squid I get in my access.log file: > ERROR: No forward-proxy ports configured. > > If I where to then browse, nothing happens. > > I am not running iptables by the way. iptables or some other NAT system is mandatory for getting the traffic to an intercept port. Squid is fetching the TCP details from the kernel NAT records and using that as the preferred destination on outbound connections. As for the tutorial. It is broken in several major ways. Which for a 8-line example is remarkable in itself. Consider following the official wiki configuration example instead http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect * The "transparent" option has been deprecated by "intercept" option since 2010. * Using DNAT rules without matching SNAT rules prevents TCP reply packets working at all. Im not surprised half teh comments are about it "not working". * Having both REDIRECT and DNAT rules on the same box is overkill anyway. DNAT is best for machines with a static IP address, REDIRECT for machines with dynamically assigned IP address or if writing examples for complete newbies. * Using port 3128 for the intercept port is a very BAD idea. There are active attacks in the wild scanning for open proxy ports and intercept without firewall protection on the port is ripe for attack. It should be a secret port which you can firewall away from all access beyond the machine itself. Only the NAT firewall and Squid need to use it. HTH Amos
