On Monday 15 March 2004 10:47 am, Sasa Stupar wrote:
Antony Stone pravi:
$IPT -t nat -A POSTROUTING -o $INIF -s $INNET -d 192.168.10.10 -j SNAT --to 192.168.10.111
Is there something to add or change here?
Yes. Remove the POSTROUTING rule, because it is specifically changing the source address of all packets sent to the proxy server to be that of the firewall.
Not good. Now my transparent proxy doesn't work anymore. :( What's the catch?
1. Now that it isn't working, do you get any errors in your proxy log file, or does it think there are no requests?
2. What source IPs does your proxy server allow access for?
3. Does the proxy server know how to route back to the clients?
4. Do you have a suitable ESTABLISHED,RELATED rule on your firewall to allow back the replies? (I expect so, but you didn't post your full ruleset earlier, so I can't be sure...)
5. Where are the clients on the network in relation to the firewall and the proxy server (please don't tell me they're on the same subnet as the proxy...?)
Regards,
Antony.
1. I've got nothing in the squid log but in the browser I get Timeout error, so looks like squid doesn't get any requests
2. It allows for LAN IP's
3. Yep
4. Yep $IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT
5. Some of them are on the same subnet and some not.
Regards, Sasa
