Re: Redirecting from Cisco

From: Brian <signal@dont-contact.us>
Date: Sat, 7 Feb 1998 19:48:56 -0600 (CST)

On Sun, 8 Feb 1998, Lincoln Dale wrote:

> >Still trying to get my Cisco to do transparent proxying. If you search
> >the squid arhives, there are alot of people that have this working with
> >IOS 11 and above.
>
> Brian,
>
> 1. remove the second route-map from your configuration,
>
> 2. make sure that you have configured your kernel correctly for
> transparent proxying. that is, your kernel needs to be able to
> impersonate other hosts when it receives traffic on port 80.
>

Lincoln,

Ok, so I deleted the "route-map proxy-redir permit 20" line.

I did *not* have my squid box (linux) compiled with ip masq options,
forwarding or anything like that. From what i read, I guess I need to do
this. I am compiling now with:

CONFIG_FIREWALL=y
# CONFIG_NET_ALIAS is not set
CONFIG_INET=y
CONFIG_IP_FORWARD=y
CONFIG_IP_MULTICAST=y
CONFIG_SYN_COOKIES=y
CONFIG_IP_FIREWALL=y
# CONFIG_IP_FIREWALL_VERBOSE is not set
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_ALWAYS_DEFRAG=y
# CONFIG_IP_ACCT is not set
CONFIG_IP_ROUTER=y

I think this is all I need on the Linux kernel side.

I will then add the ipfwadm line at startup.

You see in the squid faq, I thought you could either:

1. redirect using a linux,bsd,solaris box or
2. redirect using a cisco

I did not realize that if you decide to redirect using a cisco, that you
*still* had to do some masqing and stuff on the linux side. I thought I
could take a normal functioning squid (which needs no masqing, just have
there browser point to it), and do the redirecting on the cisco, and the
squid would answer, such is not the case. Thanks for this info.

Brian

> i'm not sure that you've done #2, since you haven't posted the
> masq configuration.
>
> in terms of linux, you'd want something like:
> ipfwadm -I -a accept -r -P tcp -S 208.276.76.0/24 -D any/0 www
> (ie. masq any tcp traffic from 208.276.76.0/24 destined for anywhere
> port 80 to port 80 on the local host).
>
> cheers,
>
> lincoln.
>

/-------------------------- signal@shreve.net -----------------------------\
| Brian Feeny | USR TC Hubs | ShreveNet Inc. (318)222-2638 |
| Network Administrator | Perl, Linux | Web hosting, online stores, |
| ShreveNet Inc. | USR Pilot | Dial-Up 14.4-56k, ISDN & LANs |
| 89 CRX DX w/MPFI, lots of |-=*:Quake:*=-| http://www.shreve.net/ |
| mods/Homepage coming soon |LordSignal/SN| Quake server: 208.206.76.47 |
\-------------------------- 318-222-2638 x109 -----------------------------/
Received on Sat Feb 07 1998 - 17:53:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:48 MST