On Thursday 12 May 2005 19:50, netfilter-request@xxxxxxxxxxxxxxxxxxx wrote: > On Thu, May 12, 2005 at 02:52:38PM +0300, Martin Vassilev wrote: > > Hello , first of all sorry for poor english. > > > > Have some trouble with transparent proxing > > > > Configuration is simple: > > > > ------------ ---------- > > > > |CLIENT| ---- eth/vlans ---- | GATE| > > > > ------------ ---------- > > transparent proxy > > > > > > ------------------test1--------------------- > > GATE:/#iptables -t nat -I PREROUTING -p TCP -s `CLIENT` \ > > --destination-port 80 -i vlan8 -j REDIRECT --to-ports 3128 > > > > CLIENT:/# telnet www.netfilter.org 80 > > Trying 213.95.27.115... > > telnet: connect to address 213.95.27.115: Connection refused > > (thats the problem ;)) > > > > GATE:/# tcpdump -n -i vlan8 -f "net `CLIENT`" > > tcpdump: listening on vlan8 > > 11:43:28.336226 `CLIENT`.38842 > 213.95.27.115.80: S > > 1057989664:1057989664(0) win 5840 <mss 1412,sackOK,timestamp 1881955228 > > 0,nop,wscale 2> (DF) [tos 0x10] > > > > GATE:/# iptables -t nat -n -L -v > > Chain PREROUTING (policy ACCEPT 32M packets, 1991M bytes) > > pkts bytes target prot opt in out source > > destination > > 1 60 REDIRECT tcp -- vlan8 * `CLIENT` 0.0.0.0/0 > > tcp dpt:80 redir ports 3128 > > > > nothing appear in squid´s access.log > > > > > > ----------------test2------------------------ > > After some rerouting to reach the gate through eth0 > > > > GATE:/#iptables -t nat -I PREROUTING -p TCP -s `CLIENT` \ > > --destination-port 80 -i eth0 -j REDIRECT --to-ports 3128 > > > > and all works fine. > > --------------------------------------------- > > > > Is there any differents for netfilter if catching traffic on eth or vlan > > interface ? > > does vlan8 have an IP address? REDIRECT rewrites the packet's dst IP to > be the IP of the interface the packet was received on, i'd imagine it > would get confused if the interface didn't have an IP address. > > alternatively, you may have some funky routing going on--i wouldn't be > surprised if you tcpdumped the other interfaces and saw the SYN/ACK from > the first example going out an interface other than vlan8--does: > > ip route get $CLIENT_IP > > show that the packet is routed via dev vlan8? > > just some things to consider. > > -j Thanks for repply Jason. Binding squid on 0.0.0.0:3128 instead of $GATE_IP:3128 fix the problem. Not work on $VLAN8_IP:3128 ? -- Best Regards, Martin Vassilev NetSurf.net Ltd.
