[squid-users] Non-transparent port works, transparent doesn't from zozo zozo on 2011-10-17 (squid-users)

From: zozo zozo <flam4_at_mail.ru>
Date: Tue, 18 Oct 2011 04:01:09 +0400

I'm trying to make squid work as transparent proxy on CentOS, squid ver is 3.2.0.12, with ecap enabled.
The problem is that squid doesn't work on transparent port and responds on non-transparent port.

I've simplified configuration as possible to exclude access errors
Here's my squid.conf:

http_port 13128 intercept
http_port 13129
acl our_networks src 1.2.3.0/24
acl localnet src 127.0.0.1/24
http_access allow all
http_access allow our_networks
http_access allow localnet

cache_mem 0 MB
cache deny all

#end of squid.config

1.2.3.0 is my client IP, but I do stuff on server and it shouldn't matter since "allow all". I tried both "intercept" and "transparent"
With this config squid works on 13129 - I check it by telnet 127.0.0.1 13129, then GET - I get html of squid error page, which means squid is alive and listening. Also browser request from my client machine from outside is served.
But when I telnet 127.0.0.1 13128, curios thing happens:

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.

That is, port is listened to and connection happens, but it's closed immediately. Same if I use other IP than 127.0.0.1.

I have been able to configure squid as transparent proxy on Ubuntu and Ubuntu server, but now staging environment has CentOS, and I've been fighting it for several days now.
Just in case I'm also attaching iptables.

[root_at_host13516 etc]# iptables-save
# Generated by iptables-save v1.3.5 on Tue Oct 18 03:52:54 2011
*mangle
:PREROUTING ACCEPT [1490:127866]
:INPUT ACCEPT [1490:127866]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1391:507115]
:POSTROUTING ACCEPT [1391:507115]
COMMIT
# Completed on Tue Oct 18 03:52:54 2011
# Generated by iptables-save v1.3.5 on Tue Oct 18 03:52:54 2011
*filter
:INPUT ACCEPT [1490:127866]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1391:507115]
COMMIT
# Completed on Tue Oct 18 03:52:54 2011

Maybe it's something about how squid was compiled? But I thought iptables support is enabled by default.

I humbly ask for help.
Received on Tue Oct 18 2011 - 00:01:17 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 18 2011 - 12:00:04 MDT