[squid-users] Re: Squid Interception Proxy (3.3)

From: John Yoon <seatpost_at_gmail.com>
Date: Thu, 2 May 2013 16:50:38 -0700

> The NAT operation *MUST*, absolutely *MUST*, be performed on the Squid box and nowhere else on the path between Squid and clients.
I am buying a new router that has enough ROM and RAM to support
openwrt + squid, for the security reasons and also because my
ARM-based server does not have a proper 'iptables' available. Thanks
for that emphasis. I re-read the original post and saw that you also
point out that the dd-wrt wiki page is wrong. It was very confusing
for me as not only the wiki-page, but several blog pages posted
how-to's that attested aforementioned setup worked. One post were less
than a year old!

>The configuration for OpenWRT device is in fact a completely different setup
There is section called 'When Squid is in a DMZ between the router and
Internet' which is exactly what 'Ethan H' was trying to achieve. And
you responded.
>>The kernel routing layer does the routing based on the firewall markings
 It Is the reason why OpenWRT works but not DD-WRT? Due to the
difference in the kernel routing layer? Or does the same rule apply
and NAT operation *Must* be performed for OpenWRT as well?

On Wed, May 1, 2013 at 6:40 PM, Amos Jeffries-2 [via Squid Web Proxy
Cache] <ml-node+s1019090n4659755h42_at_n4.nabble.com> wrote:
> On 2/05/2013 10:23 a.m., prometheus wrote:
>> Were you able to get this to work? I am having the same problem.
>
> The problem is that DNAT whenever used *erases* critical information
> which Squid-3.2+ require. The NAT operation *MUST*, absolutely *MUST*,
> be performed on the Squid box and nowhere else on the path between Squid
> and clients.
>
> Please go back and re-read the "outline" section on
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat for
> details on DNAT configuration.
>
> The configuration for OpenWRT device is in fact a completely different
> setup, which is one of the cases detailed in
> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute.
>
> Amos
>
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Interception-Proxy-3-3-tp4659288p4659755.html
> To unsubscribe from Squid Interception Proxy (3.3), click here.
> NAML
Received on Thu May 02 2013 - 23:51:06 MDT

This archive was generated by hypermail 2.2.0 : Fri May 03 2013 - 12:00:13 MDT