Re: [squid-users] Fw:Re: [squid-users] squid transparent nat interception

From: Pawel Mojski <>
Date: Fri, 31 Aug 2012 13:57:08 +0200

W dniu 31-Aug-12 03:41, Amos Jeffries pisze:
> Pawl started his problem description with "on the gateway". Which is a
> phrase usually only used by people with separate gateway and Squid
> devices. Meaning he very probably is doing NAT on packets outdside of
> the Squid box - the #1 side effect of doing things that way is the SYN
> packet problem he described.
> NAT creates a lie in the packet headers. The gateway box is lying to
> Squid box about where the packets are destined. Squid now operates
> transparently (when possible) "believes" that lie and sends the
> request there, just like any bridge or switch would if the proxy were
> turned off.

Thanks Amos for detailed answer.

Because I want to make my squid public avaible over internet (with auth
ofcourse) I have to allow other users to create:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
my.public.ip.address:8081 on their own routers, I have no other
way then proxy chaining squid3.1->squid3.2.

Pawel Mojski
Received on Fri Aug 31 2012 - 11:57:25 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 31 2012 - 12:00:06 MDT