RE: [squid-users] squid + iptables

> -----Original Message-----
> From: Kevin Thackray [mailto:kthackray@ctparadigm.be]
> Sent: Wednesday, April 06, 2005 5:53 AM
> To: squid-users@squid-cache.org
> Subject: RE: [squid-users] squid + iptables
>
>
> hi all,
>
>> You are not having route entry to use DNS server to
>> resolve the domain names in client machine. Try as,
>>
>> route add -net 192.168.0.0 netmask 255.255.0.0 dev
>> eth0
>
> I tried that on client pc (in isolan) and i didn't change anything.
>
>> ping <dns server>
>> ping www.google.com
>
> Anyway, as I don't do any nat, I would expect not to ping it!
>
> *******************
> route (on pc in isolan) :
>
> $route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
Iface
> 192.168.2.0 * 255.255.255.0 U 0 0 0
eth0
> 192.168.0.0 * 255.255.0.0 U 0 0 0
eth0
> loopback * 255.0.0.0 U 0 0 0 lo
> default 192.168.2.1 0.0.0.0 UG 1 0 0
eth0
>
> *****************
>
> If I do a ping in isolan to dns server (192.168.0.1) :
> $ping 192.168.0.1
> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
> From 192.168.2.4 icmp_seq=2 Destination Host Unreachable

SNIP
 
>
> And the tcpdump (while pinging)
> 14:32:06.547367 arp who-has 192.168.0.1 tell 192.168.2.4
> 14:32:07.547210 arp who-has 192.168.0.1 tell 192.168.2.4

SNIP

> And I don't get any reply!?
> I am a bit lost, does all dns request has to go through squid, or
computers in my isolan have got to reach directly the dns server??
>
> |DNS SERVER|
> |
> |
> IsoLan -----(eth1)| Proxy Box |(eth0)-------Lan------| Firewall
|-------INTERNET
>
> Many thanks,
>
> Kevin.

Well, it's my understanding that you are attempting transparent proxying.
If this is the case, then the client machines have to be able to resolve DNS
(they need to know where to send the HTTP GET request to) because they are
"unaware" that those requests are going to be intercepted and proxyed.

If the clients are set up to explicitly use a proxy, then they just tell the
proxy server "Hey, get this object for me", and let the proxy work out the
details (e.g. resolving DNS).

Chris
Received on Wed Apr 06 2005 - 15:22:20 MDT