On Wednesday 04 October 2017 at 13:30:52, Thomas Martin wrote: > Hello, > > I'm having trouble to make Squid 3.5.23 work like Squid 3.1.20 does. > > Here is my setup: > <clients> | <router> | > <squid proxy> > 10.0.0.Y/24 | 10.0.0.254/24 <-> 10.100.0.254/24 | 10.100.0.100/24 > - <router> is: > -- obviously forwarding packets, > -- owning the ADSL, > -- doing the transparent redirection of <clients> to <squid proxy> using > NAT: -A PREROUTING -s 10.100.0.100 -i dmz -p tcp -m state --state NEW -m > tcp --dport 80 -j ACCEPT > -A PREROUTING -s 10.0.0.Y/32 -p tcp -m state --state NEW -m tcp > --dport 80 -j DNAT --to-destination 10.100.0.100:3128 That's your problem. You're no longer allowed to do the DNAT (or REDIRECT) on anything other than the machine running Squid itself. See https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect and note the emphasis "This configuration is given for use on the squid box." See https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute for how to get the packets correctly from the router to the separate Squid server. In summary, you need to do policy routing (or any other method at your disposal) to get the packets from the clients to be sent to the Squid server *without* changing their destination address (so, DNAT isn't allowed), and then on the Squid server you use REDIRECT to send them to the Squid listening socket. Regards, Antony. -- https://tools.ietf.org/html/rfc6890 - providing 16 million IPv4 addresses for talking to yourself. Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
