2017-10-04 13:41 GMT+02:00 Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx>: >> - <router> is: >> -- obviously forwarding packets, >> -- owning the ADSL, >> -- doing the transparent redirection of <clients> to <squid proxy> using >> NAT: -A PREROUTING -s 10.100.0.100 -i dmz -p tcp -m state --state NEW -m >> tcp --dport 80 -j ACCEPT >> -A PREROUTING -s 10.0.0.Y/32 -p tcp -m state --state NEW -m tcp >> --dport 80 -j DNAT --to-destination 10.100.0.100:3128 > > That's your problem. > > You're no longer allowed to do the DNAT (or REDIRECT) on anything other than > the machine running Squid itself. > > See https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect and > note the emphasis "This configuration is given for use on the squid box." > > See https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute > for how to get the packets correctly from the router to the separate Squid > server. > > In summary, you need to do policy routing (or any other method at your > disposal) to get the packets from the clients to be sent to the Squid server > *without* changing their destination address (so, DNAT isn't allowed), and > then on the Squid server you use REDIRECT to send them to the Squid listening > socket. > > > Regards, > > Antony. > I see. So between 3.1 and 3.5 Squid behavior changed and my DNAT is causing the loops. I will take a closer look to theses URLs. Thanks a lot for your help and very quick answer ! Regards, Thomas. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
