Howdee. I'm looking for help on an issue with my bridging Squid server. I'm
new to configuring Squid but have been "in" and around it for a few years,
so I'm not a total idiot with it. I have:
Mandriva 2005
2 NIC's - eth0 & eth1
Squid 2.5 Stable
1.06 Bridge-Tools
Network layout is like this:
INTERNET
|
|
CISCO ROUTER - ANOTHER ROUTER
|
|
SQUID BOX - In Bridge Mode
|
|
NAT SERVER for Our Clients ----------------NAT SERVER for Our Servers
| |
| |
CLIENTS SERVERS
Our clients go out one NAT router/Firewall as its WAN interface gateways to
the Cisco router. Our servers go out the other router. Both go through this
Squid server to take full advantage of caching. I set my Squid box up like
this:
in RC.Local:
# Makeshift Bridge Setup
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ip link set br0 up
ip a a X.X.X.X/21 dev br0
ip r a default via X.X.X.X dev br0
# Makeshift Forward anything coming in on Bridge Port 80 to Squid
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port
3128
iptables -A INPUT -i br0 -p tcp -d "bridgeIP" -s
"mypublicipspace"/21 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
# End of Goofy Config
My squid.conf file was only modified in 5 places:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl our_networks src X.X.X.X/21
http_access allow our_networks
Everything in this scenario works fine, except, users on the outside of the
Squid server on the Internet, cannot reach our web servers. Sometimes I get
Access Denied Squid error page (but only sometimes, others just timeout
which is really odd)
Users on the inside go out including our own web servers (which obviously
they never reach the Squid box for) and all is caching and works well.
When I enable "Allow All" 0.0.0.0/0.0.0.0 in the proxy restrictions using a
test box hooked up behind the Squid server, it works fine both directions.
However, I'm wide open. Users on the outside can use my Squid server for
caching and I'm sure I don't want that. :) Been there, been blacklisted :)
Since I really ticked everyone off this am when I thought I had this all
licked, I cannot easily jack the Squid server back in the loop for testing.
The test box is running a web program on port 80 and can be reached from the
outside if the allow all statement is in.
I'm asking to do something too odd here? I monkied around with my iptables
statements trying different things and either I have the same result, or the
traffic flows through the bridge and is just not cached.
Any help is much appreciated!
Tim
