On 25/06/2015 12:45 p.m., Alex Samad wrote: > Hi > > why this, doesn't this block all traffic getting to the squid port. > iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP All external traffic yes. The NAT interception happens afterward and works. The point is that NAT intercept MUST only be done directly on the Squid machine. A single external connection being accepted will result in a forwarding loop DoS and the above protects against that. > > > what I would do to test is run tcpdump on the squid box and capture > all traffic coming to it on the squid listening port, IIRC, you can't do that because tcpdump operates before NAT. It will not show you the NAT'ed traffic arriving. Running Squid with -X or "debug_options ALL,9" would be better. You can see in cache.log what Squid is receiving and what the NAT de-mangling is actually doing. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
