# i cant redirect packages to squid

## epsilon_da

Hi. i am just investigating how to block msn messenger to certain computers, and i am trying this with squid.

So.

I have configured a few acl on squid and i need to make it transparent for centain computers on my lan becouse squidGuard doesnt have mime types support, and blocks the servers doesnt work.

once i have configured squid i have to block with my firewall the port 1863 on this machine to make msn comunicate throught port 80, and then redirect port 80 to 3128 (squid port), and all other computers goes directly without proxy.

a month ago i have updated and recompiled the kernel, but in my impresion is exactly the same configuration as it haves before. And for some reason, iptables is not redirecting port 80 and doesnt shows me any error.

iptables -t nat -A PREROUTING -m iprange --src-range 192.168.1.9-192.168.1.15 -p tcp --dport 80 -j REDIRECT --to-port 3128

i dont see any syntax error. And the next line also doesnt work:

iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 3128

the latest line was by default since a year ago before deside to deactivate the proxy and it was working correctly.

now i cant get any to work.

how do i test it?

i have configured firefox to proxy to 192.168.1.1 on port 3128 and works OK, but with proxy to 192.168.1.1 on port 80 which should be redirected to 3128 is not working.

without configuring any proxy works perfectly, of course, but i need to use squid as transparent for only some pcs.

redirect module is activated on the menuconfig and comes by default

some idea?

----------

## moocha

What squid version are you using? The firewall rules are perfectly fine, they're certainly not the ones causing problems. Note that in newer (2.6+) squid versions you need to tell it it's running in intercept (aka transparent proxy) mode in the http_port configuration directive:

```
http_port 3128 transparent
```

The transparent option is vital.

Note that squid will then expect any requests on that port to be HTTP requests, not HTTP proxy requests, so it may or may not work as a normal proxy on that port. It's generally better to run it in intercepting mode on one port, and in normal mode on a different port (by adding another http_port line with the second port and without the transparent option), and to configure the proxy for the non-intercepted clients to the second port.

----------

## epsilon_da

my installed squid is an old 2.5.11 and, as i read in some gentoo turorial, the lines pertinent to transparent proxies are:

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

should i add this line too?

thanks

----------

## moocha

No, you don't need to. As I mentioned, that's for Squid 2.6 and newer. See Transparent Caching/Proxy in the Squid User's Guide for details.

----------

## epsilon_da

mmmm, then i will try updating squid, but first

httpd_accel_port 80

shouldn't be 3128 if i am redirecting port 80 to 3128?

----------

## epsilon_da

httpd_accel_port 3128 didnt work

i was thinking:

in my firewall i have redirected port 80 to 3128, so should be the same for squid to comunicate in a proxy manner throught 3128 and throught 80 since it is redirected, and all comunication to squid comes from 3128.

im still thinking that is something on the firewall o kernel configuration.

Anyway, i will try updating squid tonight.

----------

## epsilon_da

update squid to 2.6.stable7 didnt work and no errors are shown on cache.log

any other idea? im still thinking that is a redirection problem

----------

## americanskin

MSN messenger uses a dispatch server: messenger.hotmail.com:1863 or when it uses the SOCKS-based connection it uses: gateway.messenger.hotmail.com:80.  I would try adding the messenger.hotmail.com to a URL list in your blacklist inclusions. I have just blocked hotmail.com all together and it worked for me.

----------

