Re: [squid-users] Fw:Re: [squid-users] squid transparent nat interception

From: Amos Jeffries <>
Date: Fri, 31 Aug 2012 13:41:48 +1200

On 31/08/2012 7:07 a.m., Eliezer Croitoru wrote:
> On 8/30/2012 1:23 PM, Pawel Mojski wrote:
> > And that's why I have a problem. I have to force squid to use old (like
> > in 3.1) transparent connection mechanism.
> > For the moment I bypassed the problem using proxy chaining. I installed
> > squid 3.1 also. Squid 3.2 listening on port 8080 and squid 3.1
> listening
> > on 8081 port in "transparent" mode with squid 3.2 on as
> > cache_peer.
> it's pretty weird.
> i have squid 3.2.1 with the same setup but no the problem.
> the proxy is the gw and i use redirect.. all requests works..
> what does your squid.conf contains?
> what do you have exactly in your iptables?(all rules).

Pawl started his problem description with "on the gateway". Which is a
phrase usually only used by people with separate gateway and Squid
devices. Meaning he very probably is doing NAT on packets outdside of
the Squid box - the #1 side effect of doing things that way is the SYN
packet problem he described.

NAT creates a lie in the packet headers. The gateway box is lying to
Squid box about where the packets are destined. Squid now operates
transparently (when possible) "believes" that lie and sends the request
there, just like any bridge or switch would if the proxy were turned off.

Received on Fri Aug 31 2012 - 01:41:58 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 31 2012 - 12:00:06 MDT