> This is because of the fix for CVE-2009-0801. NAT on a separate machine > has never actually worked properly even in 2.7. The fix we have in > current Squid involves verifying the TCP destination IP, which also > enforces that NAT is performed on the Squid machine instead of remotely. > You need to use policy routing or similar mechanisms on the router to > get the packets to the Squid machine unchanged for interception to work. > > Amos
on the contrary, my setup was working perfectly on those versions, because i'm not using the same machine for NAT routing. for routing, i leave everything on mikrotik, what squid do is only accept redirected request from mikrotik. my setup is A >> B >> C >> D >> E A. CLIENT ( 192.168.0.0/24 ) B. mikrotik router ( 192.168.0.253, 192.168.14.1 ) C. dstnat src-address=192.168.0.0/24 dst-port 80 redirect to squid ( to-addresses=192.168.14.2 to-ports=3129) D. squid does request internet via 192.168.14.1 (but this time won't get into dst-nat redirect, because the dstnat was only specified request from 192.168.0.0/24) E. directly route to internet gateway i have been using this setup for several years without any problem, but few days ago i decided to test the latest stable squid3, and kind of surprised getting these changes. is there any way i can do the same setup again on this latest version without having to do those iptables NAT? > Hey There, > > We will need more information in the form of: > Client address > Squid Address > Routing scheme\description > iptables rules > access.log output > Is the squid box the gateway of the network? > > In almost all cases the denied is rightful. > > Eliezer i'm not using any iptables rules as i have explained above. and no, the squid box is not the gateway, a mikrotik is doing the job and redirect client request(not squid) dst-port 80 and redirect to squid http_port 3129 transparent port. i got lot of "Forwarding loop" message on cache.log, which led me to find this link on google: http://www.squid-cache.org/mail-archive/squid-users/201304/0051.html and http://myconfigure.blogspot.com/2013/03/transparent-squid-332-on-ubuntu-1210.html so, the question is the same, is there any way i can do the same setup again on this latest version without having to do those iptables NAT? thanks for helps -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/access-denied-tp4666619p4666633.html Sent from the Squid - Users mailing list archive at Nabble.com.
