Re: [squid-users] squid transparent nat interception

From: Pawel Mojski <>
Date: Thu, 30 Aug 2012 12:23:35 +0200

W dniu 30-Aug-12 11:13, Eliezer Croitoru pisze:
> as i said you must change the DNAT rule and be more explicit because
> it will cause a loop when squid tries to read port 80 it will be
> dnated to itself.
> since these squid versions you are talking about are at my sleeve it
> must be the reason.

As i mentioned before, the problem isn't on gateway or redirection.
The problem is in new imprementation of "transparent" proxy type in
squid 3.2.

In 3.1 version when client connected to transparent port, squid was read
Host: header, then resolve hostname to ip address and connect to
resolved ip addres.
In 3.2 version squid reads destination address from tcp SYN packet then
connect to this ip address.

So, when transparent is implemented as "REDIRECT" squid receive original
tcp SYN packet and have original destination address, so squid are able
to connect to original destination server.
When transparent is implemented as "DNAT", original destination address
is replaced by DNAT address and DNAT address is a squid addres, so squid
are trying to connect to itself.

And that's why I have a problem. I have to force squid to use old (like
in 3.1) transparent connection mechanism.
For the moment I bypassed the problem using proxy chaining. I installed
squid 3.1 also. Squid 3.2 listening on port 8080 and squid 3.1 listening
on 8081 port in "transparent" mode with squid 3.2 on as

But this in ugly solution because I need to have to squid instances and
proxy-chaining which is never good for latency.

Received on Thu Aug 30 2012 - 10:23:48 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 31 2012 - 12:00:06 MDT