15.20 clarification

fliker09

Do I understand it right that eth0 is WAN interface and that Squid is set to listen on it (which explains why for first command is necessary to give <SQUIDSERVER>)?

lee42x

Thank you for your question. 

In the first command:  

"iptables -t nat -A PREROUTING  -i eth1  -p tcp --dport 80 -j DNAT --to <SQUIDSERVER>:3128" 

this says; any incoming packets to this machine's eth1 interface headding to port 80 will be redirected to the ip address of your squid server on port 3128. The packet will be forwarded by the firewall to the machine <SQUIDSERVER>. This could be a firewall exposed to the Internet sending packets to over to a squid server for futher processing. 

The second rule:

"iptables -t nat -A PREROUTING -i eth0 -p tcp  --dport 80 -j REDIRECT --to-port 3128" 

is listening on port 80 for any packets then rerouting them to port 3128. If this was an inside network connection users trying to go out to surf the web would be redirected to the squid service for processing first.  The "forced" bit is the client does not have to declare the proxy in their browser. 

The address:port that squid listens to is set with the "http_port"  directive in the squid.conf configuration file.

fliker09

To be honest I still don't get it.

Is this machine a web-server (eth1 is exposed to the world) and a network router at the same time (eth0 is the gateway interface for a LAN behind it)? If so - Squid is acting as both reverse and forwarding proxy?

Why <SQUIDSERVER> is needed for the first rule if from the second rule we can deduce that Squid is actually on this machine, not on a remote?