aren't squid and nat box different ? that was my presumption.. On 25 June 2015 at 19:07, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 25/06/2015 12:45 p.m., Alex Samad wrote: >> Hi >> >> why this, doesn't this block all traffic getting to the squid port. >> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP > > All external traffic yes. The NAT interception happens afterward and works. > > The point is that NAT intercept MUST only be done directly on the Squid > machine. A single external connection being accepted will result in a > forwarding loop DoS and the above protects against that. > >> >> >> what I would do to test is run tcpdump on the squid box and capture >> all traffic coming to it on the squid listening port, > > IIRC, you can't do that because tcpdump operates before NAT. It will not > show you the NAT'ed traffic arriving. > > Running Squid with -X or "debug_options ALL,9" would be better. You can > see in cache.log what Squid is receiving and what the NAT de-mangling is > actually doing. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
