On Thu, 3 Mar 2005, Axel [iso-8859-1] Böhme wrote:
We've tried the following iptables rules on the firewall:
iptables -t nat - A PREROUTING -i "Interface for local net" -s ! "squid-machine" -p tcp --dport 80 -j DNAT -- "squid-machine:3128"
iptables -t nat -A POSTROUTING -o "Interface for local net" -s "172.21.0.0/16" -d "squid-machine" -j SNAT --to "localhost"
iptables -A FORWARD -s "172.21.0.0/16" -d "squid-machine" -i "Interface for local net" -o "Interface for local net" -p tcp --dport 3128 -j ACCEPT
That doesnt work. What is wrong?
First the basic test: Does it work if the users configure their browsers to use the proxy?
Another thing, try disabling the sending of ICMP redirects. From the above configuration it appears that you are bouncing the traffic back to the same network interface it came from on the gateway and this normally triggers an ICMP REDIRECT to be sent..
What does tcpdump on the Squid server indicate?
Please note that NAT:ing connections like this is incompatible with old HTTP/1.0 clients not sending Host headers in their requests. On such requests the original destination will be unrecoverably overwritten by the NAT and Squid has no means of recovering the original destination. Because of this you should set httpd_accel_host to someting meaningful rather than virtual when NAT:ing traffic like this to a Squid on a separate machine. The "httpd_accel_host virtual" trick only works when Squid is running on the gateway itself.
Regards Henrik
