tor 2006-12-28 klockan 05:31 -0800 skrev zulkarnain: > Hi, > > I'm having problem running transparent proxy with > squid-2.6S6 where squid is not running in the same box > with router/firewall. "transparent" and "not running on the router/firewall" is tricky unless one uses WCCP or similar support in the router.. > [Firewall]: > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport > 80 -j DNAT --to 192.168.1.2:3128 This only kind of works, but very tricky to get right. First problem is that the proxy box MUST be configured to route return traffic to the clients via the firewall when using iptables like this. Second problem is that the original destination is lost in the DNAT, so the proxy may have a hard time figuring out where the request should be send. The second problem can be avoided by using policy routing (or maybe the ROUTE iptables target) instead of DNAT to route the traffic to the Squid server. The first is harder... things gets a lot easier if you add a "dmz" leg to the firewall and move the proxy there. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
