Re: [squid-users] Question on transparent proxy with web server behind proxy.

From: Ben Greear <greearb_at_candelatech.com>
Date: Tue, 25 Jan 2011 15:46:52 -0800

On 01/25/2011 11:14 AM, Pieter De Wit wrote:
> Hi Ben,
>
> I suspect that will do the trick :)

It seems it was a tad more tricky, but this appears to be working:

sbin/ebtables -t broute -A BROUTING -i br0 --logical-in veth2 -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -m physdev --physdev-in veth2 -j REDIRECT --to-port 3128

The 'veth2' interface is the downstream port.

Thanks,
Ben

>
> Let us know
>
> Cheers,
>
> Pieter
>
> On Tue, 25 Jan 2011, Ben Greear wrote:
>
>> On 01/25/2011 10:36 AM, Ben Greear wrote:
>>> On 01/25/2011 10:06 AM, Pieter De Wit wrote:
>>>> Hi Ben,
>>>>
>>>> On 26/01/2011 06:55, Ben Greear wrote:
>>>>> On 01/25/2011 09:48 AM, Pieter De Wit wrote:
>>>>>> Hi Ben,
>>>>>>
>>>>>> There sure is :)
>>>>>>
>>>>>> Change the IP Tables rule at the bottom to something like this:
>>>>>>
>>>>>> /sbin/iptables -t nat -A PREROUTING -i br0 -p tcp -s 192.168.0.0/24
>>>>>> --dport 80 -j REDIRECT --to-port 3128
>>>>>>
>>>>>> Replace the 192.168 with your network. Keep in mind that you can have
>>>>>> multiples of these :)
>>>>>>
>>>>>> In a nutshell, IP Tables was making each request (even from the
>>>>>> outside
>>>>>> world) go via Squid.
>>>>>
>>>>> Do you happen to know if it can be done based on incoming (real) port
>>>>> so we don't have to care about IP addresses?
>>>>>
>>>> You can, but that is not guaranteed, since the source port should be
>>>> assigned at random by the OS. Keep in mind that this will be
>>>> Chrome/IE/Firefox/<insert browser here> that makes the connection.
>>>> Having re-read your suggestion, are you not referring to the ethernet
>>>> port ?
>>>
>>> I mean ethernet port/interface, something like '-i br0
>>> --original-input-dev eth0'
>>>
>>> If nothing comes to mind immediately, don't worry..I'll go read man
>>> pages :)
>>
>> Looks like '--physdev-in eth0'
>> might do the trick..we'll do some testing.
>>
>> Thanks,
>> Ben
>>
>>>
>>> Thanks,
>>> Ben
>>>
>>>
>>
>>
>> --
>> Ben Greear <greearb_at_candelatech.com>
>> Candela Technologies Inc http://www.candelatech.com
>>
>>

-- 
Ben Greear <greearb_at_candelatech.com>
Candela Technologies Inc  http://www.candelatech.com
Received on Tue Jan 25 2011 - 23:47:00 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 26 2011 - 12:00:03 MST