On Thu, 3 Mar 2005, Axel [iso-8859-1] Böhme wrote:
> We've tried the following iptables rules on the firewall:
>
> iptables -t nat - A PREROUTING -i "Interface for local net" -s !
> "squid-machine" -p tcp --dport 80 -j DNAT -- "squid-machine:3128"
>
> iptables -t nat -A POSTROUTING -o "Interface for local net" -s "172.21.0.0/16"
> -d "squid-machine" -j SNAT --to "localhost"
>
> iptables -A FORWARD -s "172.21.0.0/16" -d "squid-machine" -i "Interface for
> local net" -o "Interface for local net" -p tcp --dport 3128 -j ACCEPT
>
> That doesnt work. What is wrong?
First the basic test: Does it work if the users configure their browsers
to use the proxy?
Another thing, try disabling the sending of ICMP redirects. From the above
configuration it appears that you are bouncing the traffic back to the
same network interface it came from on the gateway and this normally
triggers an ICMP REDIRECT to be sent..
What does tcpdump on the Squid server indicate?
Please note that NAT:ing connections like this is incompatible with old
HTTP/1.0 clients not sending Host headers in their requests. On such
requests the original destination will be unrecoverably overwritten by the
NAT and Squid has no means of recovering the original destination. Because
of this you should set httpd_accel_host to someting meaningful rather than
virtual when NAT:ing traffic like this to a Squid on a separate machine.
The "httpd_accel_host virtual" trick only works when Squid is running on
the gateway itself.
Regards
Henrik
Received on Fri Mar 04 2005 - 19:23:49 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:01 MST