关于squids透明代理的问题

我搭建了一个squid3.5版本的透明代理。squid3.5版本没有使用transparent来配置透明代理，我在windows的hosts文件中我要访问自己的域名IP，这个HTTP请求会转发到我的VPS（113.10.222.53）上，然后使用iptables把80端口的数据重定向到3129上，这样代理配置功能如下：

1. 在centos6.4中configure，，make：make install我在configure--enable-linux-netfilter参数中添加了

2. 以下是我的配置文件：（3128是透明代理端口，3129是透明代理端口，acl我允许所有IP请求broker）。

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl all src 0.0.0.0/0   
    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
   
    acl SSL_ports port 443
    acl Safe_ports port 80      # http
    acl Safe_ports port 21      # ftp
    acl Safe_ports port 443     # https
    acl Safe_ports port 70      # gopher
    acl Safe_ports port 210     # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280     # http-mgmt
    acl Safe_ports port 488     # gss-http
    acl Safe_ports port 591     # filemaker
    acl Safe_ports port 777     # multiling http
    acl CONNECT method CONNECT
   
    # Recommended minimum Access Permission configuration:
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
   
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
   
    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager
   
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
   
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    # And finally deny all other access to this proxy
    http_access allow all
   
    # Squid normally listens to port 3128
    http_port 3128
    http_port 3129 intercept
   
    # Uncomment and adjust the following to add a disk cache directory.
    cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
    cache_effective_user squid
    # Leave coredumps in the first cache dir
    coredump_dir /usr/local/squid/var/cache/squid
   
    visible_hostname www.lecloud.com
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:       1440    20% 10080
    refresh_pattern ^gopher:    1440    0%  1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
    refresh_pattern .       0   20% 4320
   

3. 然后我添加了iptables规则，数据端口重定向将80到3129端口：（我只有一块网卡（eth0））

    iptables -t NAT -a PREROUTING -s 0.0.0.0/0 -p TCP --dport 80 -j REDIRECT --to-port 3129
   

4. 然后我修改了Windows修改访问域IP的hosts文件：

    113.10.222.53 www.ferryhalim.com
   

5. 最后用firefox访问此域名的结果：（错误）

尝试检索 URL 时遇到以下错误：http://www.er666.com 连接到 113.10.222.53 失败系统返回：（111）连接被拒绝远程主机或网络可能已关闭。请重试请求

6. 但是在浏览器里填入VPS的IP和端口3128实现非透明代理就成功了