при включенном правИле IPTABLES на клиентских браузерах выдает ошибку.

/etc/rc.d/rc.firewall

IPT -t nat -A PREROUTING -s 10.0.0.0/24 -p tcp -m multiport --dport 80 -j REDIRECT --to-port 3128

.....

/usr/local/squid/etc/squid.conf

acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8   # RFC1918 possible internal network acl localnet src 172.16.0.0/12   # RFC1918 possible internal network acl localnet src 192.168.0.0/16   # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443 acl Safe_ports port 80    # http acl Safe_ports port 21    # ftp acl Safe_ports port 443    # https acl Safe_ports port 70    # gopher acl Safe_ports port 210    # wais acl Safe_ports port 1025-65535   # unregistered ports acl Safe_ports port 280    # http-mgmt acl Safe_ports port 488    # gss-http acl Safe_ports port 591    # filemaker acl Safe_ports port 777    # multiling http acl CONNECT method CONNECT

http_access allow manager localhost http_access deny manager

# Deny requests to certain unsafe ports http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on «localhost» is a local user #http_access deny to_localhost

# Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost

# And finally deny all other access to this proxy acl group1 src 10.0.0.98 10.0.0.26 acl bad_sites src http://www.odnoklassniki.ru acl bad_sites src http://www.vkontakte.ru http_access allow group1 http_access allow !bad_sites all http_access deny all

# Squid normally listens to port 3128 http_port 3128

# We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /usr/local/squid/var/cache 100 16 256

# Leave coredumps in the first cache dir coredump_dir /usr/local/squid/var/cache

# Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp:    1440   20%   10080 refresh_pattern ^gopher:   1440   0%   1440 refresh_pattern -i (/cgi-bin/|\?) 0   0%   0 refresh_pattern .    0   20%   4320

dns_nameservers 194.84.23.125

...

/usr/local/squid/var/logs

10.0.0.8 NONE/400 3441 GET / - NONE/- text/html 10.0.0.8 NONE/400 3469 GET / Artwork/SN.png - NONE/- text/html (логи однотипные)

помогите. где капать.