Re: Squid/Cisco trans proxy from Marc Lucke on 2000-01-25 (squid-users)

From: Marc Lucke <hohum@dont-contact.us>
Date: Wed, 26 Jan 2000 13:15:08 +1100

YES!

Thank you Henrick.

I intended to do accounting. But I wasn't. I was accepting the packets in
the accin ipchains rule! I am a nong. Let it be hence known :-)

Thanks everyone...

Cheers,
Marc

> From: Marc Lucke <hohum@sydney.cc>
> Date: Wed, 26 Jan 2000 13:01:24 +1100
> To: Henrik Nordstrom <hno@hem.passagen.se>
> Cc: "squid-users@ircache.net" <squid-users@ircache.net>
> Subject: Re: Squid/Cisco trans proxy
> Resent-From: squid-users@ircache.net
> Resent-Date: Tue, 25 Jan 2000 17:53:19 -0800 (PST)
>
> Here is my ipchains input list - can you see anything wrong?
>
> Chain input (policy ACCEPT):
> target prot opt source destination ports
> accin all ------ <our network>/25 anywhere n/a
> ACCEPT tcp ------ anywhere <our network>/24 any ->
> any
> ACCEPT tcp ------ anywhere <another network>/24 any ->
> any
> REDIRECT tcp ------ anywhere anywhere any ->
> www => webcache
>
> To me this should work fine.
>
> Also, od you have any theories why it works for all single computers & it
> fails for routers? Is it that the routers listen to the redirects?
>
> At this point any theory you have now or later is very appreciated.
>
> Marc
>
>> From: Henrik Nordstrom <hno@hem.passagen.se>
>> Date: Wed, 26 Jan 2000 01:27:33 +0100
>> To: hohum@sydney.cc
>> Cc: "info@talent.com.au" <info@talent.com.au>, "squid-users@ircache.net"
>> <squid-users@ircache.net>
>> Subject: Re: Squid/Cisco trans proxy
>>
>> hohum@sydney.cc wrote:
>>>
>>> Thanks Henrik,
>>>
>>> Did you see my later message? I have completed a tcpdump & found out
>>> that what is happening is that the router is sending an ICMP redirect
>>> to the client to go to our proxy & the proxy is sending an ICMP
>>> redirect to the client to go to our router - it gets caught in a loop
>>> & goes nowhere.
>>
>> Sounds like your redirection rule on the Linux box is the error. It
>> should only generate a ICMP redirect if it forwards the packet, and the
>> packet should only be forwarded if it is not redirected to the local TCP
>> port.
>>
>> Hmm.. have you enabled always defragment? It is a requirement when doing
>> TCP redirection.. (I think this may actually be enforced by the
>> makefiles or kernel, but I am not sure).
>>
>> /Henrik
>
Received on Tue Jan 25 2000 - 19:15:56 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:42 MST