squid 2.6 -- working on port 3128, but not 'transparent'
 

I've followed the steps in this thread
http://www.linuxquestions.org/questi...id+transparent
and the links posted in it.

iptables:
$IPT -t nat -A PREROUTING -i $LANINTERFACE -p tcp \
--dport 80 -j REDIRECT --to-port 3128

squid.conf:
http_port 10.10.1.180:3128 transparent
always_direct allow all

What else do I need to do in 2.6 that isn't in this 3.0 how-to?

I don't recall ever needing a always_direct line on Squid 2.x. You really should use a HOWTO which is specific to 2.6 if that's the version you are using.

That said, you haven't really explained what exactly is happening - saying it doesn't work doesn't say much, if anything. What is the Squid log showing? What about firewall logs? Are LAN clients able to ping the Squid box and hosts on the WAN? Are you getting any error messages in the browsers? Are the LAN clients able to use the proxy if manually configured to use it? Plus any other info you could provide would be great.

The docs I used to set this up were on the Squid site: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy. Also as win32sux said, I've never had to use always_direct to get it working.

/var/log/squid/cache.log
 

I don't either, but for some reason, it was recommended in a HOW-TO. As I couldn't find any difference from my .conf file to requirements described in the 2.6 HOWTO, I started checking for problems encountered in all versions.

You assume I didn't, before scrounging around for long shots. Hmm.

LAN clients not only can ping the Squid box, they can browse the web when configured to use a proxy. I can change squid.conf to proxy on port 80, but even with the directive 'transparent,' truly transparent proxying does not occur. When a browser on the LAN is configured to use a direct connection to the Internet, the squid log records this:

2008/06/01 13:20:00| parseHttpRequest: NF getsockopt(SO_ORIGINAL_DST) failed: (92) Protocol not available

Is Squid running on the same box as the iptables redirection rule?

Or are the proxy and the firewall two separate boxes?

same box
 

Two NICs on that box, one connected to the internet [DSL router, to be exact] & the other connected to the LAN.

According to the info here, you need to make sure that you have run modprobe ip_conntrack before starting Squid. Do you have the module loaded (or support for conntrack compiled in)?

Heh, yeah, it hit me later that what I was thinking when I asked didn't make sense, as REDIRECT only works on the local machine. Anyhow, it sounds like gilead might have found the culprit for your error message. Let us know.

giving up
 

Thanks for the link, it matches my error message, but modprobe ip_conntrack has been in my firewall rules all along. Since the iptables script is in /etc/init.d, and the name begins with "00" I'm reasonably confident it's being run on startup, before squid. Since transparent proxying is not necessary, just something that seemed like it could be neat to know how to do, like a parlor trick, I'm giving up on it, at least for now. Thanks for trying.