tor 2006-12-28 klockan 05:31 -0800 skrev zulkarnain:
> Hi,
>
> I'm having problem running transparent proxy with
> squid-2.6S6 where squid is not running in the same box
> with router/firewall.
"transparent" and "not running on the router/firewall" is tricky unless
one uses WCCP or similar support in the router..
> [Firewall]:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
> 80 -j DNAT --to 192.168.1.2:3128
This only kind of works, but very tricky to get right.
First problem is that the proxy box MUST be configured to route return
traffic to the clients via the firewall when using iptables like this.
Second problem is that the original destination is lost in the DNAT, so
the proxy may have a hard time figuring out where the request should be
send.
The second problem can be avoided by using policy routing (or maybe the
ROUTE iptables target) instead of DNAT to route the traffic to the Squid
server.
The first is harder... things gets a lot easier if you add a "dmz" leg
to the firewall and move the proxy there.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Mon Jan 01 2007 - 12:00:01 MST