RE: [squid-users] client ip's from Jorge Bastos on 2008-04-05 (squid-users)

From: Jorge Bastos <mysql.jorge@dont-contact.us>
Date: Sat, 5 Apr 2008 14:24:23 +0100

People,

I updated to last STABLE-4 on debian, but this still happens this way.
What can I do more?

Jorge

> -----Original Message-----
> From: Jorge Bastos [mailto:mysql.jorge@decimal.pt]
> Sent: quinta-feira, 3 de Abril de 2008 9:56
> To: 'Amos Jeffries'
> Cc: 'Henrik Nordstrom'; squid-users@squid-cache.org
> Subject: RE: [squid-users] client ip's
>
> Hum, the last one's on debian.
> They were 3.0 PRE-X, but don't remember the number.
>
>
>
>
> > -----Original Message-----
> > From: Amos Jeffries [mailto:squid3@treenet.co.nz]
> > Sent: quinta-feira, 3 de Abril de 2008 6:08
> > To: Jorge Bastos
> > Cc: 'Henrik Nordstrom'; squid-users@squid-cache.org
> > Subject: Re: [squid-users] client ip's
> >
> > Jorge Bastos wrote:
> > > The rule I use to redirect traffic from 80 to 8080 is:
> > > I must remember, this was working before 3.0 stable1 or stable2
> (not
> > using
> > > stable2), I just saw this was happening now.
> >
> > What version did you upgrade from?
> >
> > >
> > > iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -
> j
> > DNAT
> > > --to-destination 192.168.1.1:8080
> > >
> >
> > If squid is running on this same box I would recommend the REDIRECT
> > target instead of DNAT. It's less work for the kernel.
> >
> > The other possible issue is that you have your redirection rule at
> the
> > start of the NAT tables. The matching rule to allow squid traffic out
> > is
> > near the end.
> >
> > Even if you keep DNAT, they should be in this order:
> >
> > # allow squid traffic out okay.
> > iptables -t nat _A PREROUTING -s 192.168.1.1 -p tcp --dport 80 -j
> > ACCEPT
> > # redirect all other web traffic into squid.
> > iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j
> > REDIRECT --to-port 8080
> >
> > >
> > > cisne:~# iptables-save -t nat
> > > # Generated by iptables-save v1.4.0 on Wed Apr 2 17:12:25 2008
> > > *nat
> > > :PREROUTING ACCEPT [35:1650]
> > > :POSTROUTING ACCEPT [10307:1367320]
> > > :OUTPUT ACCEPT [66427:4357431]
> > > -A PREROUTING -d 193.164.158.105/32 -j DROP
> > > -A PREROUTING -i eth1 -p tcp -m tcp --dport 5111 -j DNAT --to-
> > destination
> > > 192.168.1.11:5900
> > > -A PREROUTING -i eth1 -p tcp -m tcp --dport 5901 -j DNAT --to-
> > destination
> > > 192.168.1.2:5900
> > > -A PREROUTING -i eth1 -p tcp -m tcp --dport 5969 -j DNAT --to-
> > destination
> > > 192.168.1.3:5900
> > > -A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-
> > destination
> > > 192.168.1.204:3389
> > > -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT
> > > --to-destination 192.168.1.1:8080
> > > -A PREROUTING -p gre -j ACCEPT
> > > -A PREROUTING -p icmp -j ACCEPT
> > > -A PREROUTING -p ah -j ACCEPT
> > > -A PREROUTING -p udp -m udp --dport 53 -j ACCEPT
> > > -A PREROUTING -p udp -m udp --dport 500 -j ACCEPT
> > > -A PREROUTING -p udp -m udp --dport 1723 -j ACCEPT
> > > -A PREROUTING -p udp -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 20 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 21 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 23 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 43 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 79 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 123 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 143 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT
> > > -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 444 -j
> ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 1723 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 1863 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 3306 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 3389 -j ACCEPT
> > > -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 5000 -j
> > ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 5190 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 5900 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 5901 -j ACCEPT
> > > -A PREROUTING -p tcp -m tcp --dport 6667 -j ACCEPT
> > > -A PREROUTING -s 192.168.1.0/24 -d 192.168.1.206/32 -p tcp -m tcp -
> -
> > dport
> > > 8888 -j ACCEPT
> > > -A PREROUTING -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j
> ACCEPT
> > > -A PREROUTING -i eth1 -p tcp -m tcp --dport 30106 -j DNAT --to-
> > destination
> > > 192.168.1.224:30106
> > > -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 62500:63500
> > > --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
> > > -A PREROUTING -j DROP
> > > -A POSTROUTING -o eth1 -j MASQUERADE
> > > COMMIT
> > > # Completed on Wed Apr 2 17:12:26 2008
> > >
> > > -----Original Message-----
> > > From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
> > > Sent: quarta-feira, 2 de Abril de 2008 11:42
> > > To: Jorge Bastos
> > > Cc: squid-users@squid-cache.org
> > > Subject: RE: [squid-users] client ip's
> > >
> > > WHat do your iptables NAT rules look like?
> > >
> > > iptables-save -t nat
> > >
> > > ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos:
> > >> Transparent proxy
> > >>
> > >> Squid running on: 8080
> > >> And I forward 80 => 8080 (squid) => web
> > >>
> > >> My iptables rules are intact, I believe it was from 3.0 stable 1
> or
> > 2 that
> > >> this started to happen.
> > >>
> > >>
> > >>
> > >>
> > >>> -----Original Message-----
> > >>> From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
> > >>> Sent: quarta-feira, 2 de Abril de 2008 0:12
> > >>> To: Jorge Bastos
> > >>> Cc: squid-users@squid-cache.org
> > >>> Subject: RE: [squid-users] client ip's
> > >>>
> > >>> tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos:
> > >>>> No, just squid himself.
> > >>> As a plain proxy, or playing with NAT?
> > >>>
> > >>> Regards
> > >>> Henrik
> > >
> > >
> >
> > --
> > Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Received on Sat Apr 05 2008 - 07:24:27 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT