Hi Amos, Thanks for the explanation. I switched to intercept yet once I restart squid, I am still seeing the "No forward proxy ports configured". The same machine later on will also be running IPtables since it has 2 NIC's in it. Monah On Sat, Nov 30, 2013 at 4:56 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 30/11/2013 10:26 a.m., Monah Baki wrote: >> Hi all, >> >> >> I'm trying to setup a transparent proxy squid 3.3.9 using the following URL: >> >> >> http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/ >> >> What's the difference between >> >> http_port 3128 transparent > > The above expects all arriving traffic to be in HTTP port 80 origin > server format. Used for receving intercept-proxy traffic. > > Also, the TCP level details are assumed to have passed through some form > of NAT system and need to be un-NAT'd before use. In Squid since 3.2 if > the original TCP details are not found in the NAT records some > restrictions are placed on what happens with the request and response. > > >> and >> http_port 3128 >> > > This one expects all arriving traffic to be an HTTP proxy format. Used > for receiving forward-proxy traffic. > >> >> If I where to configure with http_port 3128 transparent and restart >> squid I get in my access.log file: >> ERROR: No forward-proxy ports configured. >> >> If I where to then browse, nothing happens. >> >> I am not running iptables by the way. > > iptables or some other NAT system is mandatory for getting the traffic > to an intercept port. Squid is fetching the TCP details from the kernel > NAT records and using that as the preferred destination on outbound > connections. > > As for the tutorial. It is broken in several major ways. Which for a > 8-line example is remarkable in itself. Consider following the official > wiki configuration example instead > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect > > > * The "transparent" option has been deprecated by "intercept" option > since 2010. > > * Using DNAT rules without matching SNAT rules prevents TCP reply > packets working at all. Im not surprised half teh comments are about it > "not working". > > * Having both REDIRECT and DNAT rules on the same box is overkill > anyway. DNAT is best for machines with a static IP address, REDIRECT for > machines with dynamically assigned IP address or if writing examples for > complete newbies. > > * Using port 3128 for the intercept port is a very BAD idea. There are > active attacks in the wild scanning for open proxy ports and intercept > without firewall protection on the port is ripe for attack. It should be > a secret port which you can firewall away from all access beyond the > machine itself. Only the NAT firewall and Squid need to use it. > > > HTH > Amos
