On Monday 27 August 2018 at 16:04:16, zo_av wrote: > I'm trying to redirect all of my subnet traffic to a transparent squid > proxy using iptables on the router gateway (the squid proxy is located in > the LAN). So long as you use policy routing for this, and not address translation, it's possible. > I can browse sites that are https but can't access http sites, the error > that appears in the browser "ERR_EMPTY_RESPONSE" > > also I got this errors in the cache.log file: > NF getsockopt(ORIGINAL_DST) failed on local=192.168.0.110:3129 > NAT/TPROXY lookup failed to locate original IPs on local=192.168.0.110:3129 Sounds like you're using NAT and not routing :( > I'm using: > Squid version:3.5.27 The iptables lines that we used for the redirection: > 192.168.0.110:3129 - the squid box port+IP. 192.168.0.1 - the router's IP. > > iptables: > > iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination > 192.168.0.110:3129 > > iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.110 --dport 3129 -j SNAT > --to-source 192.168.0.1 Nope; won't work. > squid.conf > > These are the lines that we have changed/added to the squid.conf: > > acl localnet src 192.168.0.0/24 > > http_access allow localnet > http_port 3128 > http_port 3129 intercept Please see https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and be aware of the NOTE: NAT configuration will only work when used *on* the squid box. https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute will help you with the setup you need in your situation. Regards, Antony. -- The lottery is a tax for people who can't do maths. Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
