Re: [squid-users] RE: Squid 3.3 WARNING: Forwarding loop detected for:

From: Amos Jeffries <>
Date: Thu, 04 Apr 2013 15:56:06 +1300

On 4/04/2013 3:16 a.m., Ewan Sadie wrote:
> I am new to iptables so I tried the following.
> I changed the listning port on the proxy to 3127, so that I do not need to change the DNAT on the router.
> The router does a DNAT to 3128.

What you have done:

  Router receives a packet saying:
   client connnect to website
   router NAT removes and adds

  Squid box receives a packet saying:
   client connect to website
   Squid box NAT removes and adds

  Squid receives packet saying:
   client connect to website
   the box NAT system informs Squid the packet destination was

  ... there is a result. NAT is working perfectly fine *on the Squid
box*. So failure warnings do not appear.

But where does Squid connect?

The HTTP Host: header cannot be trusted much in interception mode
( Squid-3.2
and later will verify that IP address NAT delivered
belongs to the Host: header domain before allowing the Host: header to
be used. When it fails (as it will fail 100% on your system) Squid will
be transparent and pass the request on t the same place the cleint was

On your system Squid is transparently relaying the intercepted traffic
to the web server it is being told exists at

Routers need to *route* the port 80 traffic to the Squid box *without*
using NAT.

> I then ran the following command on the Squid server, iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 3127
> I now do not see the forward loop errors any more but I do get TCP_MISS/503
> I can still browse vie the proxy by connecting to port 8080 so I know there is no rules blocking me.
> The fact the I get results in the access.log indicates to me that the redirection is happening.
> -----Original Message-----
> From: Ewan Sadie
> Hi All
> Did the handling of intercept change since Squid 3.2.x?
> Based on this article, it seems that you have to do a rediect on the Squid box itself as well as on the router.
> Is this the case? I do not want to over complicate the setup with an aditional firewall as well.

Switch "as well as" for "istead of" and you will have the right idea.

Received on Thu Apr 04 2013 - 02:56:27 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 04 2013 - 12:00:04 MDT