On 18/07/2014 7:25 a.m., Nicolás wrote:
> Ok, I'll try to explain the scenario again and more detailed (I remark
> that I'm using this guide which states that it should work for public IP
> addresses: http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource):
>
> Client side: Has public IP address A.B.C.D
> Server side: Has public IP address E.F.G.H
>
> On the client side, I added the following iptables rule:
>
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
> E.F.G.H:3128
Okay. The situation seems clear now. This rule is capturing both the
client UA output traffic and Squid output traffic.
You need the rule omitting Squid from being catured. The config example
should have mentioned it, I have added that now.
iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport
80 -j ACCEPT
Note the one you tried earlier and failed was in PREROUTING, not OUTPUT.
This should be the correct one.
NP: you could also use REDIRECT instead of DNAT if you want to avoid
figuring out the server/client "side" IP address issues. But try the
above iptables rule in your existing config first to confirm if it works
before moving on to that change.
<snip>
> access.log:
>
> 1405623902.957 0 A.B.C.D TCP_MISS/403 4300 GET
> http://google.es/ - HIER_NONE/- text/html
> 1405623902.958 1 A.B.C.D TCP_MISS/403 4419 GET
> http://google.es/ - HIER_DIRECT/E.F.G.H text/html
>
Note that these are in order of completion rather than order of
initiation. The second line is the first request (cleint->server
intercepted into Squid) the first line is the squid->server looped request.
Amos
Received on Fri Jul 18 2014 - 04:21:54 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 18 2014 - 12:00:04 MDT