Re: [squid-users] transparent proxy debugging from Amos Jeffries on 2011-04-20 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 20 Apr 2011 18:34:41 +1200

On 20/04/11 18:19, cc wrote:
> Hi Amos,
>
> Amos Jeffries wrote:
>>> LO_REDIRECT=3129
>>> $IPTB -t nat -A PREROUTING -i $INET_IF -s $INET_IP -p tcp \
>>> --dport $HTTP -j ACCEPT
>>> $IPTB -t nat -A PREROUTING -i $DMZ_IF -p tcp -s $LAN_NET --dport $HTTP \
>>> -j REDIRECT --to-ports $LO_REDIRECT
>>> $IPTB -t nat -A POSTROUTING -o $INET_IF -p tcp -j MASQUERADE
>>> $IPTB -t mangle -A PREROUTING -p tcp --dport $LO_REDIRECT -j DROP
>>>
>>> squid.conf:
>>>
>>> http_port 3129 transparent
>>>
>>> (are there other options that I need to consider?)
>>>
>>> From within the LAN_NET, I get a time out error.
>>
>> You are missing the rule which prevents packets leaving Squid from being
>> looped back into Squid again.
>>
>> You seem to have one preventing external (WAN) traffic from being NAT'd
>> into Squid instead.
>>
>> Try this:
>>
>> $IPTB -t nat -A PREROUTING -i $INET_IF -s $INET_IP -p tcp \
>> --dport $HTTP -j ACCEPT
>>
>> $IPTB -t nat -A PREROUTING -s $SQUID_IP -p tcp --dport 80 -j ACCEPT
>>
>> $IPTB -t nat -A PREROUTING -i $DMZ_IF -p tcp \
>> -s $LAN_NET --dport $HTTP \
>> -j REDIRECT --to-ports $LO_REDIRECT
>
> In my case, wouldn't $SQUID_IP = $INET_IP?

Only if the first of those rules is broken.

... -i $INET_IF -s $INET_IP matches traffic from another machine
called $INET_IP outside the current box.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1

Received on Wed Apr 20 2011 - 06:34:45 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 20 2011 - 12:00:03 MDT