nick humphrey wrote:
> hi ya'll, i'd just like to preface this by saying that i have been
> looking in the archive and on the internet for 4 days straight and
> haven't found a clear answer to my problem =)
That could be due to the fact that your set up is a touch convoluted... :o)
>
> i have a linux (rh7) machine (webMachine, ip: 192.168.0.5) running a
> web server on port 7090.
RedHat 7? Well, I guess if it ain't broke...
> i have another linux (debian) machine on the same network
> (firewallMachine, two interfaces ip: 10.0.0.40 [out to inet], ip:
> 192.168.0.2 [connected to internal network]).
>
> on firewallMachine i have also installed squid, to reverse proxy for
> webMachine, i.e. hide all external ip addresses from webMachine, so it
> thinks only 1 ip address is communicating with it.
>
> squid is configured to listen to port 7090 and then redirect
> everything to webMachine on port 7090 (trying to keep it simple at
> first).
Hahahahaha! Ahem... Sorry.
> the only lines i've changed in the default squid.conf configuration are:
> http_port 7090
> httpd_accel_host 192.168.0.5
> httpd_accel_port 7090
> httpd_accel_single_host on
> httpd_accel_uses_host_header on
>
> (i can't see anything else in that config file that would need to be
> enabled/disabled, am i right?)
Those look fine to me.
>
> here's my firewall.sh:
>
SNIP
Yikes... Just... Yikes. I'd love to see the flow chart that maps the
rule set you posted.
>
> i can't seem to reach webMachine from the internet (everything is set
> up correctly on my adsl router [sits between firewallMachine and
> internet], that much i do know).
>
Why are you using NAT to route the packets to the "inside" interface on
the firewallMachine (I think that line might be wrong anyway*)? That
seems a bit Rube-Goldberg-machine to me (Internet->NAT->NAT->Squid->web
server).
You've got Squid listening to port 7090 (no IP assignment), and
forwarding requests to the web server (in theory). Just let it handle
the traffic from 10.0.0.40 (which is already NATed once). Unless I'm
mistaken (and that happens with more frequency than I am happy with)
you'd just have to remove the NAT rule, and add an accept for port 7090
on the external interface (in with the IMAP and SMTP rules). I don't
see any restrictions on what the firewallMachine is allowed to send to
the internal network. Then again that's a hell of a rat's nest, and
following what is going on is starting to give me a headache...
Alternatively, check your firewall logs. Unless you are seeing a Squid
error on the computer that is accessing the web site from the Internet,
I don't think this is a Squid problem.
> Thanks for any help and a quick reponse =)
> Nick
Chris
* The NAT line...
> $IPT -t nat -A PREROUTING -p tcp --dport 7090 -j DNAT --to 192.168.0.2
...doesn't specify a "destination" IP address to match or an input
interface, so ANY traffic destined for port 7090 on any interface is
NATed (which might lead to a loop). If I'm not mistaken(the previous
warning still applies), the line should read...
> $IPT -t nat -A PREROUTING -p tcp -d 10.0.0.4 --dport 7090 -j DNAT --to
> 192.168.0.2
...but considering the traffic is already NATed, perhaps that should be
the external IP...
Received on Fri Aug 18 2006 - 18:35:35 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:02 MDT