Thanks, error went away. All remains is my IPTable rules. On Sat, Nov 30, 2013 at 7:45 AM, Pavel Kazlenka <pavel.kazlenka@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 11/30/2013 03:33 PM, Monah Baki wrote: >> >> Hi Amos, >> >> Thanks for the explanation. I switched to intercept yet once I restart >> squid, I am still seeing the "No forward proxy ports configured". >> >> The same machine later on will also be running IPtables since it has 2 >> NIC's in it. > > You need both one 'intercept' and one 'forward proxy' port in config even if > you don't use forward proxy: > > http_port 3129 > http_port 3128 intercept > > > >> >> >> Monah >> >> On Sat, Nov 30, 2013 at 4:56 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >> wrote: >>> >>> On 30/11/2013 10:26 a.m., Monah Baki wrote: >>>> >>>> Hi all, >>>> >>>> >>>> I'm trying to setup a transparent proxy squid 3.3.9 using the following >>>> URL: >>>> >>>> >>>> >>>> http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/ >>>> >>>> What's the difference between >>>> >>>> http_port 3128 transparent >>> >>> The above expects all arriving traffic to be in HTTP port 80 origin >>> server format. Used for receving intercept-proxy traffic. >>> >>> Also, the TCP level details are assumed to have passed through some form >>> of NAT system and need to be un-NAT'd before use. In Squid since 3.2 if >>> the original TCP details are not found in the NAT records some >>> restrictions are placed on what happens with the request and response. >>> >>> >>>> and >>>> http_port 3128 >>>> >>> This one expects all arriving traffic to be an HTTP proxy format. Used >>> for receiving forward-proxy traffic. >>> >>>> If I where to configure with http_port 3128 transparent and restart >>>> squid I get in my access.log file: >>>> ERROR: No forward-proxy ports configured. >>>> >>>> If I where to then browse, nothing happens. >>>> >>>> I am not running iptables by the way. >>> >>> iptables or some other NAT system is mandatory for getting the traffic >>> to an intercept port. Squid is fetching the TCP details from the kernel >>> NAT records and using that as the preferred destination on outbound >>> connections. >>> >>> As for the tutorial. It is broken in several major ways. Which for a >>> 8-line example is remarkable in itself. Consider following the official >>> wiki configuration example instead >>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect >>> >>> >>> * The "transparent" option has been deprecated by "intercept" option >>> since 2010. >>> >>> * Using DNAT rules without matching SNAT rules prevents TCP reply >>> packets working at all. Im not surprised half teh comments are about it >>> "not working". >>> >>> * Having both REDIRECT and DNAT rules on the same box is overkill >>> anyway. DNAT is best for machines with a static IP address, REDIRECT for >>> machines with dynamically assigned IP address or if writing examples for >>> complete newbies. >>> >>> * Using port 3128 for the intercept port is a very BAD idea. There are >>> active attacks in the wild scanning for open proxy ports and intercept >>> without firewall protection on the port is ripe for attack. It should be >>> a secret port which you can firewall away from all access beyond the >>> machine itself. Only the NAT firewall and Squid need to use it. >>> >>> >>> HTH >>> Amos > >
