RE: [squid-users] Firewall problems from De Leeuw Guy on 2002-08-22 (squid-users)

From: De Leeuw Guy <G.De_Leeuw@dont-contact.us>
Date: Thu, 22 Aug 2002 14:56:53 +0200

> On Thursday 22 August 2002 14:08, De Leeuw Guy wrote:
> > Hello all,
> >
> > Work now :))
> >
> > > Firewall :
> > > internet -------eth1 eth0---- Private network
> > >
> > > eth0 : hostname WorldGate.eurofer.be IP 192.168.3.190
> > > eth1 : hostname gwWorld.eurofer.be IP 10.10.10.2
> > > Public IP 194.78.206.16
> > >
> > > iptables :
> > > ==========
> > > iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT
> --to-source
> > > 194.78.206.16
> > > iptables -t nat -A PREROUTING -i eth0 -p tcp -dport http -j
> > > REDIRECT --to-port 3128
> >
> > The problem come from the POSROUTING, I added this command :
> > iptables -t nat -A POSTROUTING -s gwWorld -j SNAT
> --to-source 194.78.206.16
> > In the old configuration the network class is the same for
> the public and
> > the private network, now not !
>
> I think it is not the network class that's the problem.
>
> Squid is the one creating the request (not the browser), so
> the source
> address will be 10.10.10.2 or gwWorld; so that is the address
> you need to
> SNAT, and that is why it is working now.
>
> (Curious:) is 194.78.206.16 an alias on eth1? If so, why
> don't you configure
> port eth1 (and squid) with IP=194.78.206.16 so you can avoid
> the SNAT rule?
>
> I mean: why use 10.10.10.2?
>
> Z.

So, in the paste I have a provider that give to me a class C and I subnet my
network
The router between internet and my firewall, the firewall and the private
network (about 20 interfaces)
receives the same class C and, of course I not have the iptables rules
POSTROUTING.
My new provider give me only one IP address, in this case I need to
introduce the rules POSTROUTING.
The address 10.10.10.x come with the provider configuration of the router.
Because the abandon of my class C I reconfigure the network with the private
class 192.168.0.0
all internal clients use these range of adress.
Remember my first message : squid run on the firewall.
Squid receive the internal request from the range 192.168.X.X on the eth0
interface
and call a parent proxy from the eth1 interface.
It is the reason to add the second rules into the iptable POSTROUTING (only
this service
run on the firewall).

sorry for my english, i'm french speaker.

I hope that this message respons to your questions.

Guy
Received on Thu Aug 22 2002 - 06:57:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:48 MST