Re: [squid-users] Would like to forward traffic without using SNAT to disguise source IP

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 03 Oct 2011 17:26:24 +1300

On 28/09/11 07:37, Jeff MacDonald wrote:
> Hi,
>
> My setup is such that from home, I connect to a remote openvpn host
> which is running IPtables.
>
> That machine then redirects all traffic with rules like this:
>
> iptables -t nat -A PREROUTING -i tun0 -s ! 10.17.0.3 -p tcp --dport
> 80 -j DNAT --to 10.17.0.3:3128
> iptables -t nat -A POSTROUTING -o tun0 -s 10.111.111.0/24 -d
> 10.17.0.3 -j SNAT --to 10.111.111.1
>
> Where 10.111.111.0/24 is my VPN, and 10.17.0.3 is my squid server.
>
> The problem with this scenario, is that all requests appear to come
> from 10.17.0.2 the openvpn server. Which defeats our purpose of
> putting this proxy in place.. to catch a slacker who is wasting
> company time.
> Thoughts? Anyway we can use iptables better for this redirection?

You require TPROXY on the interception server.

  http://wiki.squid-cache.org/Features/Tproxy4

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.12
Received on Mon Oct 03 2011 - 04:26:29 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 03 2011 - 12:00:02 MDT