Transparent Proxy Server - Error when redirecting port 80 to port 3128 on the Squid Machine

Posted on 2004-11-21
Last Modified: 2010-03-18
I have SQUID and IPTABLES running on a machine.  Squid works quite nicely when I tell my web-browser to use the SQUID machines IP address and port.

When I realized I would have to change every workstation on the network and people could still sneak into the setting and remove the proxy settings, it was suggested that I use Transparent Proxying and redirect all of the port 80 destined traffic to port 3128 on the Squid machine.

WHen I add the line:  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128, all webbrowsers on the network return the following screen from the SQUID machine.

The requested URL could not be retrieved


While trying to retrieve the URL: /

The following error was encountered:

Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:

Missing or incorrect access protocol (should be `http://'' or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed
Your cache administrator is root.


Generated Sun, 21 Nov 2004 17:42:43 GMT by alcatraz (squid/2.5.STABLE5)


It appears that somehow during the translation the URL goes missing, by looking at the "WHILE TRYING TO RETRIEVE THE URL : /"  If I hover my mouse over the / in that message, it shows me the URL of the site I typed into the address line of the browser.

Anyhow, could the problem also stem from NAT being done later down the line at my border router to the internet?  I doubt it, it seems like a squid problem.

Any suggestions?  I have read some documents that talked about compiling a Kernal with certain options.

I'm running FEDORA 2, which has the 2.6 kernal and I of course installed with the normal procedure with ISO cd-images.  I scared to recompile a kernal.


Question by:deeky
    LVL 40

    Expert Comment

    Where are you applying the iptables rule? On the Squid box or the gateway router?

    To work the transparent proxy rule must be applied on the default gateway for the local LAN. If that system is not the box running Squid the rule must do a redirect to the port 3128 on the SQUID machines IP. However if you are using the Squid box as a default gateway then it needs to be NAT'ing the local network.

    Author Comment

    The Squid Box is my Gateway Router which is also running Iptables.  (this is all one machine I call a firewall).  It has 4 NICS, 1 to internet router, 1 to PRIVATE LAN, 1 to PUBLIC WIRELESS, 1 to WEB/MAIL server.  I'm only concentrating on two NICS, the one between the Internet Router and the Firewall, and the one between the PRIVATE LAN and the firewall.

    I'm trying to get all internet traffic on the PRIVATE LAN, which is going to the firewall anyway because it is the default gateway, to use the SQUID port 3128 instead of the standard port 80.

    Somehow, my redirect is not working properly because squid WORKS if i point each of my client browsers to the Firewall at port 3128.  The redirect is doing something because I get the above error generated by squid, so it is moving the packet to port 3128.  Is there another port needed to be open for a reply connection?

    LVL 40

    Expert Comment

    Is the box NAT'ing the interior IP's?

    Could I see the iptables commands you use to set up the firewall?

    Author Comment

    No, the only other NAT'ing is done on a Cisco 1720 on the border between us and the internet.

    Here are the IPTABLES:

    # Generated by iptables-save v1.2.9 on Wed Nov 17 20:12:27 2004
    :OUTPUT ACCEPT [0:0]
    # Redirect PRIVATE LAN to PROXY SERVER for port 80 Traffic
    -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
    # Completed on Wed Nov 17 20:12:27 2004
    # Generated by iptables-save v1.2.9 on Wed Nov 17 20:12:27 2004
    :PREROUTING ACCEPT [18829:9159599]
    :INPUT ACCEPT [8426:862853]
    :FORWARD ACCEPT [10401:8296650]
    :OUTPUT ACCEPT [8500:860136]
    :POSTROUTING ACCEPT [18747:9144950]
    # Completed on Wed Nov 17 20:12:27 2004
    # Generated by iptables-save v1.2.9 on Wed Nov 17 20:12:27 2004
    :FORWARD DROP [0:0]
    :INPUT DROP [0:0]
    :OUTPUT DROP [0:0]
    -A FORWARD -o eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_OUT:
    -A FORWARD -i eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_IN:
    -A OUTPUT -o eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_OUT:
    -A INPUT -i eth1 -j LOG  --log-level debug --log-prefix BANDWIDTH_IN:
    -A INPUT -i lo -j ACCEPT
    # Allow Web Traffic Established Back into FIREWALL
    -A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT
    # Allow LAN access to Internet
    -A FORWARD -m state -s -i eth0 --state NEW,ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -m state -i eth1 -o eth0 --state ESTABLISHED,RELATED -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    # Output Packets from FIREWALL MACHINE (SQUID)
    -A OUTPUT -m state -o eth1 --state NEW,ESTABLISHED,RELATED -j ACCEPT
    # Allow Email Server Access to INTERNET Outgoing
    -A FORWARD -m state -s -i eth2 -o eth1 --state NEW,ESTABLISHED,RELATED -j ACCEPT
    # Allow Mailserver Internet Access INCOMING
    -A FORWARD -m state -i eth1 -o eth2 --state ESTABLISHED,RELATED -j ACCEPT
    # Allow Border Router To Send SYSLOG to Zeus on Private Lan
    -A FORWARD -p udp -m udp -s -d -i eth1 -o eth0 --dport 514 -j ACCEPT
    # Allow DNS Queries to ZEUS
    -A FORWARD -p udp -m udp -m multiport --ports 53 -j ACCEPT
    # Allow DNS Replies from ZEUS
    -A INPUT -p udp -m udp -m multiport -s -d -i eth0 --ports 53 -j ACCEPT
    # Allow Firewall to transmit DNS request to ZEUS
    -A OUTPUT -p udp -m udp -m multiport -s -d -o eth0 --ports 53 -j ACCEPT
    # Accept SQUID requests from PRIVATE LAN
    -A INPUT -p tcp -m tcp -m state -s -i eth0 --dport 3128 --state NEW,ESTABLISHED,RELATED -j ACCEPT
    # Permit SQUID function
    -A OUTPUT -m state -o eth0 --state ESTABLISHED,RELATED -j ACCEPT


    Author Comment


    I eliminated the firewall from the equation, so I realized I needed to focus more on the squid configuration.

    I figured out the problem.  I had missed these four key lines in the squid.conf file.  Apparently they make the difference.  They were:

    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

    they need to all be on

    I learned this from several other posts in the forum, but I didn't think they applied to my situation.  Apparently they do.

    Since I solved my problem, now I have a related question, can somebody tell me what these 4 lines are doing?

    Strange, without them, like I stated before the web-browser on the client side would not "pick up" a URL.  What is accel doing?  Sounds like it makes it faster?




    Author Comment

    I haven't heard anything for a few days.  I found the answer to this question elsewhere.  How do I handle this situation?  The comment I posted is was my solution to this particular problem, and I suppose it should remain in the archives for others.

    How do I close this question?


    Accepted Solution

    Closed, 200 points refunded.
    Community Support Moderator

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now