Re: [squid-users] Re: Hide squid cache server IP

From: Abu Khaled <khaled.abu@dont-contact.us>
Date: Wed, 13 Jul 2005 20:58:56 +0300

On 7/13/05, kodel <kodelz@gmail.com> wrote:
> This is what I have in my network
> and I'm only using my local network for testing this configuration
>
> Webserver : 192.168.2.10
> Squid : 192.168.2.50
> Client : 192.168.2.100
>
> rc.conf
> -------------
> #enabling ipfilter
> ipfilter_enable="YES"
> ipnat_enable="YES"
> ipmon_enable="YES"
> ipfs_enable="YES"
>
> ipfilter_rules="/etc/ipf.rules"
> ipnat_rules="/etc/ipnat.rules"
>
> gateway_enable="YES"
> --------------
>
>
> squid.conf
> ------------
> cache_dir diskd /usr/local/squid/var/cache 200 16 256 Q1=64 Q2=72
> acl our_networks src 192.168.2.0/24
> http_access allow our_networks
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> http_port 80
>
> acl client1 src 192.168.2.100/255.255.255.0
> tcp_outgoing_address 10.0.0.1 client1
> -------------
>
>
> ipnat.rules
> -------------
> bimap rl0 from 10.0.0.1/32 to 0.0.0.0/0 port = 80 -> 192.168.2.100/32
> --------------
>
>
> And when I try to open the webserver page from the browser's client,
> it's just stand still.
> I check if the NAT is already running and this is what I get :
> ----------------
> #ipnat -l
> List of active MAP/Redirect filters:
> bimap rl0 from 10.0.0.1/32 to any port = 80 -> 192.168.2.100/32
>
> List of active sessions:
> BIMAP 10.0.0.1 54081 <- -> 192.168.2.100 54081 [192.168.2.6 80]
> ----------------
>
>
> Could you tell me what is wrong with my configuration ?
>
> Thanks
>

The configuration that you are trying is very similar to the one I
used with one exception: The test I ran was on a FreeBSD
Router/intercepting squid cache for a small ISP with public IPs for
the Clients.

So basically the steps that you followed are the same. However check
your ipfilter rules and check if they might be blocking traffic from
private IP addresses like 10.0.0.1 ruels must also be allowed to pass
the ipfilter rules.
eg.
pass out quick on rl0 tcp from 10.0.0.1/32 to any port = 80 keep state

Also I must mention that the test server running FreeBSD 5.4 was not
very stable under heavy load but this issue was solved by using
FreeBSD & PF instead of FreeBSD & IPFILTER.

PS: You might want to discuss this issue be contacting me directly.
This issue has already gone beyond the purpose of the mailing list.

>
> Abu Khaled wrote:
> > On 7/12/05, kodel <kodelz@gmail.com> wrote:
> >
> >>Hi. Abu..
> >>
> >>After I'm trying what u said in the previous email
> >>I'm using FreeBSD 5.3 and using ipnat.rules like you said before.
> >>And using squid-2.5STABLE8 and opening port 80 at the 'http_port' in
> >>squid.conf
> >>
> >>When I try my client to access the internet with this proxy I found out
> >>that it doesn't work, I try to monitor the connection with 'ipnat -l'
> >>and the nat process is already take place, but the browser client who
> >>access the proxy just stay still.
> >>
> >>Is there any other way to monitor/debug the nat process in FreeBSD
> >>so I can make sure what is really happening.. ??
> >
> >
> > Can you provide the rules you used so we can have a look on them?
> >
> >
> >>Oya I almost forgot can I combine the
> >>rdr --> which use for intercepting proxy and,
> >>bimap --> for transparent proxy
> >>both in the same machine ?
> >
> >
> > I allready did that (used rdr and bimap on the same machine).
> > Again what rules do you use to acomplish this?
> >
> >
> >>What Im tryin to do is to redirect some client to use the squid ip as
> >>the outside ip and use some client to use the their own public ip
> >>(transparent mode)
> >>
> >>
> >>Thank's
> >>
> >>
> >>-rd-
> >
> >
>

-- 
Regards.
Abu Khaled
Received on Wed Jul 13 2005 - 11:59:43 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:02 MDT