# transparent squid problem, iptables incorrectly set up?

## lukdk

Hello,

I'm having trouble setting up my proxy transparently. I've looked on the web for a solution but according to the manuals it should be very simple, however it is not working on my system.

I'm using a gentoo server with squid and nat.

this is in the squid.conf: 

http_port 8888 transparent

I'm using these firewall rules:

/sbin/iptables -t nat -F

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --src 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 8888

# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

REDIRECT   tcp  --  192.168.0.0/24       anywhere            tcp dpt:http redir ports 8888

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

When I try to browse to an unknown domain on a computer on the lan with ip 192.168.0.* I still get the default error page in stead of the squid generated error page.

When I manually set up the proxy in the browser, I see squid is working fine.

I'm not sure where to start looking for what exactly is going wrong, since I don't get any errors. Maybe I'm not looking on the correct location. I assume something with the firewall is incorrectly set up, or maybe I'm missing some support in the kernel for this?

----------

## Hu

What do you mean an unknown domain?  If you request a domain for which the answer is NXDOMAIN, the browser will not initiate a TCP connection because there is nowhere to go, so there is no chance for Squid to intercept it.

----------

## lukdk

this I mean with an unknown domain. I only get then when I set the proxy manually (and this is how I'm testing if it's working) As you can see, this is an error generated by squid (see bottom), but no squid error is received when I don't set the proxy, so it's not working I guess?

ERROR

The requested URL could not be retrieved

--------------------------------------------------------------------------------

The following error was encountered while trying to retrieve the URL: http://www.ergeryghergdfvd.com/

Unable to determine IP address from host name „www.ergeryghergdfvd.com”

The DNS server returned:

Name Error: The domain name does not exist.This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.

Your cache administrator is root.

--------------------------------------------------------------------------------

Generated Sat, 16 Jan 2010 21:58:19 GMT by ldk.mine.nu (squid/3.0.STABLE19)

----------

## lukdk

oh, seems to be solved!

the test i did wasn't correct.

apparently when i shut down the proxy server, I'm not able to browse the internet any more. So i would say it's working. Also according to the access.log I'm using the proxy.

Still, it's strange when I set the proxy manually I get another error page than when I don't set it. Any explanation for that? Is that just since the browser will work differently when a proxy is specified?

----------

## Hu

Yes.  As I explained above, if you request a domain which does not exist, then the browser will get a response of NXDOMAIN from the DNS server.  The browser then displays an inline error, without ever connecting to anything, so there is no opportunity for a connection to be intercepted.  When you explicitly use a proxy, the browser delegates name resolution to Squid, so Squid receives a connection regardless of what you type in the address bar.  Squid is thus able to return an error page for missing domains.

----------

