[squid-users] Interception proxy with DNAT using squid 3.2.7

Hi,

I want to setup an interception proxy with DNAT using squid 3.2.7.

My squid.conf is

acl trusted src x.x.x.x y.y.y.y
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow trusted
http_access allow localhost
http_access deny all
http_port 0.0.0.0:8888
http_port 0.0.0.0:8128 intercept
hierarchy_stoplist cgi-bin ?
debug_options ALL,1
coredump_dir /var/spool/squid3
cache deny all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
request_header_access Proxy-Connection deny all
request_header_access X-Forwarded-For deny all
request_header_access Connection deny all
request_header_access Via deny all
forwarded_for off

I've set up the iptables and sysctl.conf as described in http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

$ iptables -t nat --list-rules
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -s 209.141.35.219/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 209.141.35.219:8128
-A POSTROUTING -j MASQUERADE
$ iptables -t mangle --list-rules
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -p tcp -m tcp --dport 8128 -j DROP

In my client network, I've set up a dnsmasq to redirect the hosts that I want to proxy to the squid box.

However, when I call one of the hosts, e.g. www.example.org, I get

ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: http://example.org/
Connection to <squid-ip> failed.
The system returned: (111) Connection refused

----
The squid was configured with
Squid Cache: Version 3.2.7
configure options:  '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--enable-inline' '--enable-async-io=8' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-arp-acl' '--enable-esi' '--disable-translation' '--enable-linux-netfilter' '--enable-ssl' '--with-default-user=proxy' '--enable-ltdl-convenience'
I appreciate your help!
Cheers
Marcel