[squid-users] Antwort: Re: [squid-users] squid transparent proxy loop problem

hello,

what did you mean??
mean you i need more rules????
The proxy have one activ interface.

Mit freundlichen Grüßen
Kind Regards

Thomas Elsaesser
_________________________________

Henkel KGaA
HI / CNS CC-Security
Phone: +49-211-797-6712
Fax: +49-211-798-
E-Mail: thomas.elsaesser@henkel.com
Internet: http://www.Henkel.com

|---------+------------------------------------>
| | Denis Vlasenko |
| | <vda@port.imtp.ilyichevsk|
| | .odessa.ua> |
| | 20.09.2004 16:36 |
| | Entscheidung erforderlich|
| | ? |--------| |
| | | [ ] ja | |
| | |--------| |
|---------+------------------------------------>
>---------------------------------------------------------------------------------------------------------------|
  | |
  | An: Thomas.Elsaesser@henkel.com, squid-users@squid-cache.org |
  | Kopie: |
  | Thema: Re: [squid-users] squid transparent proxy loop problem |
>---------------------------------------------------------------------------------------------------------------|

On Monday 20 September 2004 17:00, Thomas.Elsaesser@henkel.com wrote:
> Transparent proxy
>
>
> 172.17.248.48 - - [20/Sep/2004:14:51:32 +0200] "GET
> http://www.google.de:8080/ HTTP/1.1" 504 2415 TCP_MISS:NONE
>
> I have this log entry in my transp. proxy .
>
> I believe it's a loop.

Why do you believe it's a loop?
Please show tcpdumps. Loop will be visible on loopback
(tcpdump -nlilo).

> How can i change this??? Have any a solution for me?
> squid listen on port 8080
> _________________________________
>
> iptables v1.2.11
>
> #iptables -t nat -nL
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- 0.0.0.0 0.0.0.0/0 tcp dpt:80 redir ports
> 8080

Put your squid on port 12345, REDIRECT to 12345 intead of 8080.
However I doubt it's a loop, I think REDIRECT never apply to
locally generated packets.

I keep this comment on top of my firewalling scripts:

### filter This is the default table (if no -t option is passed). It
contains
### the built-in chains INPUT (for packets coming into the box
itself),
### FORWARD (for packets being routed through the box), and OUTPUT
(for
### locally-generated packets).
###
### nat This table is consulted when a packet that creates a new
connection
### is encountered. It consists of three built-ins: PREROUTING
(for
### altering packets as soon as they come in), OUTPUT (for
altering
### locally-generated packets before routing), and POSTROUTING
(for
### altering packets as they are about to go out).
###
### mangle It had two built-in chains: PREROUTING (for altering incoming
### packets before routing) and OUTPUT (for altering
locally-generated
### packets before routing). Recently three other built-in
### chains are added: INPUT (for packets coming into the box
### itself), FORWARD (for altering packets being routed through
the
### box), and POSTROUTING (for altering packets as they are about
to go
### out).
###
### ...iface... ...iface...
### | ^
### v |
### -mangle,NAT- -mangle,filter- -mangle,NAT--
### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING|
### ------------ | ^ --------------- -------------
### | | ^
### | +--if NATed------------+ |
### v | |
### -mangle,filter- -mangle,NAT,filter-
### |INPUT | +->[Routing]->|OUTPUT |
### --------------- | -------------------
### | |
### v |
### ... Local Process...

--
vda