On Wed, 24 Mar 2004, Matthew Tanase wrote: > A couple of things since my initial post. I verified the machine do > indeed have DNS access (I can ping hosts), so that shouldn't be a > problem. I had to use "iptables -t nat -A PREROUTING -p tcp --dport 80 > -j DNAT squidbox:3128" to get Squid working, not sure why. Now however, > everything is denied with TCP_MISS 504/503 errors - is this an ACL > problem or iptables.
Most likely squid.conf problem, not acls. Details depends on what the errormessage sent to the clients say. For a start See FAQ on how to configure Squid for transparent proxying. > My other question - why the POSTROUTING - I already have the PREROUTING. DNAT/REDIRECT must be used in PREROUTING. Can not be used in POSTROUTING. > And why isn't REDIRECT working, it's my understanding that DNAT is > REDIRECT, but you have to specific a host... REDIRECT is a specific version of DNAT, grabbing the destination IP address from the interface the packet was received on instead of having it specified in the target. Most likely REDIRECT gets confused about which interface to grab the destination IP address from in the bridge. Regards Henrik
