Hi
Do you mean user this iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination 172.31.0.1:25976 iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination 172.31.0.1:52406 Instead this iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 25976 iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 52406 ? Do I also need some kind of -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ? Best regards Sent from Nine <http://www.9folders.com/> -------------------------------- De: NgTech LTD <ngtech1...@gmail.com> Enviado: terça-feira, 30 de julho de 2024 14:44 Para: Bolinhas André Cc: squid-users@lists.squid-cache.org Assunto Re: [squid-users] IPTABLES - Can't redirect HTTPS traffic to external Squid Hey, The dnat rule should be done on the squid itsef. You will need to re-route the relevant traffic over the ipsec tunnel to the squid ip. It's possible to do that over ipip or gre tunnels. Eliezer בתאריך יום ג׳, 30 ביולי 2024, 15:41, מאת Bolinhas André <andre.bolin...@articatech.com <mailto:andre.bolin...@articatech.com> >: I have a external proxy server connected by VPN (IPSEC) to my main branch, and i'm trying to redirect all users HTTP / HTTPS traffic to this proxy. Scenario Users -> Gateway (Main Branch) -> IPSEC -> Squid Proxy (transparent mode) In my Gateway (Main Branch) I have this test iptables rule, that is forwarding all the TPC / UDP traffic to the Proxy server. iptables -t nat -I PREROUTING -s 192.168.60.90 -p tcp -j DNAT --to-destination 172.31.0.1 iptables -t nat -I PREROUTING -s 192.168.60.90 -p udp -j DNAT --to-destination 172.31.0.1 In Squidd Proxy server I have the followed rules iptables -t nat -I PREROUTING -s 192.168.60.90/32 <http://192.168.60.90/32> -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8081 iptables -t nat -I PREROUTING -s 192.168.60.90/32 <http://192.168.60.90/32> -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8080 Everything is working correctly, HTTP traffic is ok, DNS are also working, the only exeption is the HTTPS traffic, I can see the HTTPS traffic inside the squid access.log but on client side I got a timeout 1722265740.867 1 192.168.60.90 TCP_TUNNEL/200 0 CONNECT cnn.com:443 <http://cnn.com:443> - HIER_DIRECT/51.210.183.2:443 <http://51.210.183.2:443> - mac="00:00:00:00:00:00" webfilterpolicy:%200%0D%0A exterr="-|-" Anyone can help me to understant if I'm missing so iptable rule to handle the HTTPS traffic? Sent from Nine _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org> https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
