Andy Zbikowski wrote:
> My thought while sitting in traffic (amazing how exaust fumes create
> bursts of genius, or insanity...) was that if I first driect all port 80
> traffic from the squid box directly out to the rest of the world and route
> everyone else to the squid box, then things would work without a loop as
> traffic from the squid box would go out, everyone else would be directed
> to the squid box, and since the squid box won't be routed back to itself,
> it should work.
Fine.
> So let's see, from ideas into iptalbes...
> iptables -t nat -A PREROUTING -i eth1 -p tcp -s squid.box --dport 80 -j
> FORWARD
> iptables -t nat -A PREROUTING -i eth1 -p tcp -s ! squid.box --dport 80 -j
> REDIRECT --to squid.box --to-port 3128
Don't use NAT, use advanced routing. NAT (-j REDIRECT is a form of NAT)
will destroy important information required by the proxy.
The REDIRECT rule should only be used on the proxy box itself.
> Or maybe I have to use DNAT for the second line?
Same thing.
> Anyway, the question is, does this have any chance of working, if so, am I
> on the right track with my iptables rules?
The above should work partially, but some applications may have trouble
because of NAT destroying the destination address before the request
reaches the proxy.
-- Henrik Nordstrom Squid HackerReceived on Fri Jun 29 2001 - 04:14:40 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:52 MST