Hi why this, doesn't this block all traffic getting to the squid port. iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP what I would do to test is run tcpdump on the squid box and capture all traffic coming to it on the squid listening port, then go to a test machine on the eth or wireless and do a telnet google.com 80 and see what you get on the squid box. make sure you src and dst addresses are right. then check the squid logs. I presume you get get to the internet from the squid box ? On 24 June 2015 at 22:30, Dalmar <maamule10@xxxxxxxxx> wrote: > squid 3.3.8 and ubuntu 15.04 server > > 2015-06-24 15:04 GMT+03:00 Yuri Voinov <yvoinov@xxxxxxxxx>: >> >> Squid 3.5.x? >> >> 24.06.15 18:03, Dalmar пишет: >> >> Hi, >> For over two weeks i am having a really headache in configuring squid >> transparent/intercept. >> I have tried different options and configurations but i couldn't get it to >> work. >> i think the problems lies in the Iptables / NAT but i really couldn't >> solve it. >> I have tried different iptable rules including the intercept linuxDnat - >> sysctl configuration, but didnt work. >> >> # your proxy IP >> SQUIDIP=X.X.X.X >> >> # your proxy listening port >> SQUIDPORT=XXXX >> >> >> iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT >> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination >> $SQUIDIP:$SQUIDPORT >> iptables -t nat -A POSTROUTING -j MASQUERADE >> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP >> >> >> i have to say that squid works well when i configure in the client >> browsers. >> >> at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action >> DST-NAT to address squidIP and Port >> >> i am using ubuntu server 15.04 using squid 3.3.8 and this is my >> configuration and the errors i get: >> >> >> ------ eth0 WAN <----- MAIN WAN Public IP Internet >> MK---| >> ------ eth1 LAN >> | >> ------ eth2 Proxy >> >> >> ------ eth0 WAN ---> Public IP --> Internet --> gets internet >> from 24online / another Mikrotik >> Squid---| >> ------ eth1 Proxy >> | >> ------ eth2 webmin --> For server Management >> >> >> -error1: if no intercept/transparent and no iptables is configured >> -Invalid URL - The requested url could not be retrieved >> -but if proxy is configured in the user browser - it works! >> >> >> -error2:if intercept and iptable DNAT is configured >> -Access Denied and in the access log TCP-MISS/403 >> -no forward proxy port configured >> -security alert : host header forgery detected on local= >> SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name) >> -warning : forwarding loop detected (x-Forwarded-for mikrotik lan >> IP) >> >> squid.conf >> >> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost manager >> http_access deny manager >> http_access allow localnet >> http_access allow localhost >> http_access deny all >> http_port 8080 >> http_port 8181 >> cache_mem 2000 MB >> cache_dir ufs /var/spool/squid3 100000 16 256 >> coredump_dir /var/spool/squid3 >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 >> refresh_pattern . 0 20% 4320 >> cache_effective_user proxy >> cache_effective_group proxy >> >> ---------------------------------------- >> I am really confused, can anyone guide me please. >> Thanks in advance >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
