Re: [squid-users] Squid transparent proxy and bridge question

From: Henrik Nordstrom <[email protected]>
Date: Wed, 24 Mar 2004 22:34:50 +0100 (CET)

On Wed, 24 Mar 2004, Matthew Tanase wrote:

> A couple of things since my initial post. I verified the machine do
> indeed have DNS access (I can ping hosts), so that shouldn't be a
> problem. I had to use "iptables -t nat -A PREROUTING -p tcp --dport 80
> -j DNAT squidbox:3128" to get Squid working, not sure why. Now however,
> everything is denied with TCP_MISS 504/503 errors - is this an ACL
> problem or iptables.

Most likely squid.conf problem, not acls. Details depends on what the
errormessage sent to the clients say.

For a start See FAQ on how to configure Squid for transparent proxying.

> My other question - why the POSTROUTING - I already have the PREROUTING.

DNAT/REDIRECT must be used in PREROUTING. Can not be used in POSTROUTING.

> And why isn't REDIRECT working, it's my understanding that DNAT is
> REDIRECT, but you have to specific a host...

REDIRECT is a specific version of DNAT, grabbing the destination IP
address from the interface the packet was received on instead of having it
specified in the target.

Most likely REDIRECT gets confused about which interface to grab the
destination IP address from in the bridge.

Regards
Henrik
Received on Wed Mar 24 2004 - 14:34:53 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:03 MST