Re: [squid-users] RE: Squid 3.3 WARNING: Forwarding loop detected for:

Wed, 03 Apr 2013 19:56:29 -0700 

On 4/04/2013 3:16 a.m., Ewan Sadie wrote:

I am new to iptables so I tried the following.
I changed the listning port on the proxy to 3127, so that I do not need to 
change the DNAT on the router.
The router does a DNAT to 3128.


What you have done:

 Router receives a packet saying:
  client 192.168.0.2 connnect to website 1.2.3.4:80
  router NAT removes 1.2.3.4:80 and adds 192.168.0.1:3128

 Squid box receives a packet saying:
  client 192.168.0.1 connect to website 192.168.0.1:3128
  Squid box NAT removes 192.168.0.1:3128 and adds 192.168.0.1:3127

 Squid receives packet saying:
  client 192.168.0.1 connect to website 192.168.0.1:3127

  the box NAT system informs Squid the packet destination was 
originally 192.168.0.1:3128



 ... there is a result. NAT is working perfectly fine *on the Squid 
box*. So failure warnings do not appear.


But where does Squid connect?


The HTTP Host: header cannot be trusted much in interception mode 
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0801). Squid-3.2 
and later will verify that 192.168.0.2:3128 IP address NAT delivered 
belongs to the Host: header domain before allowing the Host: header to 
be used. When it fails (as it will fail 100% on your system) Squid will 
be transparent and pass the request on t the same place the cleint was 
connection.



On your system Squid is transparently relaying the intercepted traffic 
to the web server it is being told exists at 192.168.0.1:3128.




Routers need to *route* the port 80 traffic to the Squid box *without* 
using NAT.



Amos

I then ran the following command on the Squid server, iptables -t nat -A 
PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 3127

I now do not see the forward loop errors any more but I do get TCP_MISS/503
I can still browse vie the proxy by connecting to port 8080 so I know there is 
no rules blocking me.
The fact the I get results in the access.log indicates to me that the 
redirection is happening.




-----Original Message-----
From: Ewan Sadie


Hi All

Did the handling of intercept change since Squid 3.2.x?
Based on this article 
http://myconfigure.blogspot.com/2013/03/transparent-squid-332-on-ubuntu-1210.html,
 it seems that you have to do a rediect on the Squid box itself as well as on 
the router.
Is this the case?  I do not want to over complicate the setup with an aditional 
firewall as well.


Switch "as well as" for "istead of" and you will have the right idea.

Amos






















					Reply via email to