Re: [squid-users] (111) Connection refused from â–‘â–’â–“ É¹ÉzÇupÉÉ¥Êž ÉzÉ¹Ä±É¯ â–“â–’â

From: â–‘â–’â–“ É¹ÉzÇupÉÉ¥Êž ÉzÉ¹Ä±É¯ â–“â–’â–‘ <mirza.k_at_gmail.com>
Date: Fri, 22 Aug 2008 11:18:31 +0700

can you give the the iptables rule ?
:(

On Fri, Aug 22, 2008 at 10:50 AM, Michael Alger <squid_at_mm.quex.org> wrote:
> On Fri, Aug 22, 2008 at 10:07:53AM +0700, ????????? ????z??up?????? ??z?????? ????????? wrote:
>> ## Forward port 80 ke mail server
>> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.119
>> --dport 80 -j DNAT --to-destination 172.16.0.2
>
> This looks like you're redirecting from your external interface's
> port 80 to another server. Presumably there's nothing listening on
> port 80 on your DMZ server?
>
>> problem :
>> i cant browse to my-sub.domain.ext from network
>> but i can browse my-sub.domain.ext from external ( other place )
>>
>> The following error was encountered:
>>
>> * Connection to 202.169.51.119 Failed
>>
>> The system returned:
>>
>> (111) Connection refused
>
> Your proxy is connecting from a different interface (eth2 I think)
> and therefore the connection to port 80 is not being redirected to
> the mail server. You *may* be able to solve this by also redirecting
> the connection from your proxy server, but you'll also need to use
> source NAT so your mail server's www service sends its replies to
> your DMZ server. Without the SNAT, the mail server will reply
> directly to the proxy server, and that will confuse the proxy
> because it thinks it's talking to your external IP.
>
> The other common solution to this problem is to use so-called "split
> horizon DNS", whereby you have internal DNS servers which return the
> internal address (i.e. my-sub.domain.ext will resolve to 172.16.0.1,
> rather than your external IP) but your external DNS servers will
> return your external address. That way your clients inside the
> network get the correct address.
>
> Depending on how your squid is doing DNS lookups, you may be able to
> add an entry to the /etc/hosts file on your proxy server and then
> explicitly configure the proxy for your clients. If that works this
> might provide an acceptable short-term solution.
>

-- 
-=-=-=-=

Received on Fri Aug 22 2008 - 04:18:36 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 22 2008 - 12:00:03 MDT