Re: [squid-users] Non-transparent port works, transparent doesn't from Pieter De Wit on 2011-10-17 (squid-users)

From: Pieter De Wit <pieter_at_insync.za.net>
Date: Tue, 18 Oct 2011 13:05:07 +1300 (NZDT)

Hi,

Maybe I am missing it, but where is the rule to REDIRECT port 80 to 13128
in iptables ?

Cheers,

Pieter

On Tue, 18 Oct 2011, zozo zozo wrote:

> I'm trying to make squid work as transparent proxy on CentOS, squid ver is 3.2.0.12, with ecap enabled.
> The problem is that squid doesn't work on transparent port and responds on non-transparent port.
>
> I've simplified configuration as possible to exclude access errors
> Here's my squid.conf:
>
> http_port 13128 intercept
> http_port 13129
> acl our_networks src 1.2.3.0/24
> acl localnet src 127.0.0.1/24
> http_access allow all
> http_access allow our_networks
> http_access allow localnet
>
> cache_mem 0 MB
> cache deny all
>
> #end of squid.config
>
> 1.2.3.0 is my client IP, but I do stuff on server and it shouldn't matter since "allow all". I tried both "intercept" and "transparent"
> With this config squid works on 13129 - I check it by telnet 127.0.0.1 13129, then GET - I get html of squid error page, which means squid is alive and listening. Also browser request from my client machine from outside is served.
> But when I telnet 127.0.0.1 13128, curios thing happens:
>
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> Connection closed by foreign host.
>
> That is, port is listened to and connection happens, but it's closed immediately. Same if I use other IP than 127.0.0.1.
>
> I have been able to configure squid as transparent proxy on Ubuntu and Ubuntu server, but now staging environment has CentOS, and I've been fighting it for several days now.
> Just in case I'm also attaching iptables.
>
> [root_at_host13516 etc]# iptables-save
> # Generated by iptables-save v1.3.5 on Tue Oct 18 03:52:54 2011
> *mangle
> :PREROUTING ACCEPT [1490:127866]
> :INPUT ACCEPT [1490:127866]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1391:507115]
> :POSTROUTING ACCEPT [1391:507115]
> COMMIT
> # Completed on Tue Oct 18 03:52:54 2011
> # Generated by iptables-save v1.3.5 on Tue Oct 18 03:52:54 2011
> *filter
> :INPUT ACCEPT [1490:127866]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1391:507115]
> COMMIT
> # Completed on Tue Oct 18 03:52:54 2011
>
>
> Maybe it's something about how squid was compiled? But I thought iptables support is enabled by default.
>
> I humbly ask for help.
>
>
Received on Tue Oct 18 2011 - 00:05:19 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 18 2011 - 12:00:04 MDT