On 01.03.2012 23:41, Mustafa Raji wrote:
> --- On Thu, 3/1/12, Amos Jeffries wrote:
>
>> From: Amos Jeffries
>>
>> Also you said "using mikrotik dnat rule". Does that mean
>> your NAT is being done by the Mikrotik instead of the Squid
>> box? that is bad. Use policy routing or WCCP to push the
>> packets unchanged to the Squid box instead.
>>
>> Amos
>>
> thank you for your reply
> the mikrotik is used just to redirect traffic from client to squid on
> port 80, the squid box is receiving the packet from the mikrotik on
> port 80,to be more clear i used rule to redirect tcp packet from
> client on port 80 (using mikrotik dnat) to squid box on port 80 to,
Ah, I thought so. Mikrotik has erased the destination IP information
during its DNAT. Squid is a separate box without access directly into
the Mikrotik kernel RAM, so Squid has no way to know what destination IP
should be connected to to fetch the request.
When you upgrade your Squid away from 3.1 it will start complaining
about "Host header forgery" and dumping traffic.
Squid 3.1 will let the traffic through without complaints, but then use
DNS to pick a random new destination IP for the site (breaking load
balancing) and add fake IP address information to your access.log
(breaking any monitoring/reporting you might want to do). For example;
your earlier log showed a client IP of 192.168.40.1 when that is not the
real client, but only the Mikrotik.
You would do well to start looking into other ways to *route* packets
than DNAT redirect on the Mikrotik. I know it is not hard, routing is a
basic features and there are others doing policy routing or WCCP on
Mikrotik for the same setup you have. The benefits you will get are
worth a small amount of trouble finding out how to do it properly from
the start.
> alteration for the destination ip only, altering tcp port not
> included
> in the mikrotik it's done in the squid box.
> outgoing ip you squid uses ?
> we can say itis the ip of the squid in my situation (source ip from
> squid outgoing packets) , is this right ?
Yes.
Since you have DNAT on the Mikrotik the Squid also needs bypassing
there, in the same way.
> if this is right why i need rule to accept the packet that comming
> from my squid box, and my iptables default policy is accept so this
> packet is accepted by default , why i need such rule ?
Because PREROUTING and NAT is applied to both incoming and outgoing
packets. And because the default policy is a default. It only applies
when no rule like your DNAT one is present and catching the packets
first.
Amos
Received on Thu Mar 01 2012 - 11:02:18 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 12:00:06 MST