From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Description of problem: To further simplify the use of squid with transparent proxying could there be a flag added to /etc/sysconfig/squid: TRANSPARENT_PROXY=ON TRANSPARENT_PROXY_SOURCE_INTERFACE=$interface TRANSPARENT_PROXY_PORT=$port Then when the squid init script starts up it checks this value and if transparent proxy support is required it automatically runs this iptables command? iptables -t nat -A PREROUTING -i $interface -p tcp --dport 80 -j REDIRECT --to- port $port See http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.4 Applies to all versions of squid (including the up and coming 3.0 release)
It seems that getsockopt(sock, SOL_IP, SO_ORIGINAL_DST, ...) do not return original destination but redirected one. I use a small program to redirect output and got this problem...
Sorry, I forgot, I'm using Fedora Core 4 with latest kernel (2.6.11-1.1369_FC4)
Same problem with kernel 2.6.12-1.1387_FC4. Note the problem is a regression problem, not an RFE.
I updated to kernel 2.6.12-1.1398_FC4 with contain a fix for transparent proxy and bridge however it do not fix this particular problem.
IMHO I think this would not be a good idea because in many times it will not be added in the proper sequence in the PREROUTING chain, i.e. if the last rule of the PREROUTING chain before squid is started is itpables -t nat -A PREROUTING -j DROP and using an -I rule to add the rule to the top of the chain could be equally undesirable
I think it can have more cons than pros so closing as WONTFIX.
Happily someone else fixed the problem in the kernel.