Re: [squid-users] Testing transparent squid in VM

From: Amos Jeffries <>
Date: Wed, 30 Apr 2008 23:42:02 +1200

Wundy wrote:
> Amos Jeffries-2 wrote:
>> You should be able to use just:
>> iptables -t nat -A PREROUTING -s ! -p tcp --dport 80 -
>> REDIRECT -to-port 3128
>> iptables -t nat -A POSTROUTING -j MASQUERADE
> At this point I have added the iptables command :
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j
> REDIRECT --to-port 3128
> iptables -t nat -A POSTROUTING -j MASQUERADE
> but it does nothing to far.

The "-s !" is important (assuming squid is running on to block forwarding loops. ie probably those timeouts you
mention squid having.

> Amos Jeffries-2 wrote:
>> squid.conf:
>> http_port 3128 transparent
> In my squid.conf I haven't adjusted many things. You can look at it here,
> should there be any more problems.
> squid.conf
> I did however have to enable ip4_forward since that was off.
> I'm not that familiar with my debian distro so stuff like that is helpful

Ah forwarding. That kicked me the other day when a kernel upgrade turned
it off.

Check your run-time settings in /proc/sys/net/ipv4/ip_forward should be '1'
   ( echo 1 >/proc/sys/net/ipv4/ip_forward )

The persistent settings are in /etc/sysctl.conf

NAT might do with a check as well.
   lsmod - look for something matching: *_nat

> at this point squid behaves as follows:
> the browser without proxy settings does not find squid and doesn't give a
> web page.
> if I point the browser towards the proxy server then any address I open
> loads VERY VERY slowly and times out after a few mins.
> Amos Jeffries-2 wrote:
>> If that still won't work:
>> - Ensure that your squid has ONLY one transparent option
>> (--enable-linux-netfilter) configured.
>> - Check that squid is receiving requests (access.log or cache.log)
>> - Check squid has access outbound (usually cache.log)
>> - Check whether NAT is failing (cache.log)
> squid is recieving request if I point the browser to the proxy server,
> otherwise nothing.

Okay, so this may seem simple but is port-80 traffic from the browser
even going through the squid box naturally?

Take a look at the routing table on the browsers machines routing table
and check. The default gateway is the machine all its traffic goes
through. That should be either the squid machine itself or another which
has been setup to route the port-80 traffic as squid properly.


Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Received on Wed Apr 30 2008 - 11:41:26 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT