On Tue, 4 Aug 2009 17:01:45 -0700 (PDT), casket88
<jamespeek_at_oldfields.com.au> wrote:
> Hi,
>
> We have several interconnected branches on their own networks. I would
like
> to shut off web access directly from all branches except head office.
>
> We have an Untangle gateway configured as a transparent bridge at head
> office that all traffic passes through. I would like to keep on using
this
> for content filtering and logging. However I want a Squid server to be
able
> to accept connections from our branches, use its caching and then
redirect
> it out through the Untangle gateway for loggin. We will be redirecting
all
> web traffic on our Cisco routers at each branch to the proxy server.
>
> I have Squid set up to allow connections from all our internal networks
and
> set up IPtables with the following command:
>
> ptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port
> 3128
>
> This all works fine and I am able to surf throguh the proxy, which
appears
> to be caching correctly and forwarding it to our gateway which performs
the
> content filtering and logging. The only problem is that through the NAT
> process the source IP address is replaced with that of the Squid's and is
> logged accordingly.
Yes. This is how NAT operates.
>
> How would I go about configuring Squid to accept connections, cache them
> and
> then forward the request on to the webserver via the gateway WITHOUT
> replacing the source IP address?
Get rid of NAT and use TPROXY for the capture instead.
>
> In summary: user requests connection to website on port 80, request
> transparently redirected to Squid on Cisco router, Squid accepts it and
> forwards it to webserver through gateway.
NP: Your word 'transparently redirected' appears to mean 'routed' in that
paragraph. Please use the word 'transparent' less
/rant.
Amos
Received on Wed Aug 05 2009 - 00:10:14 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 05 2009 - 12:00:03 MDT