On ons, 2007-08-29 at 23:18 -0500, Rogelio Sevilla Fernandez wrote:
> Im working with WRT54GL and i want make somes whitelist for websites.
> I tried to do that with iptables +webstr but i had a lot of problems
> with hotmail. So i decided to install squid on a Win2k server and
> redirect all the web traffic from the WRT54GL to my Win2kServer.
>
> This is the scenario.
>
>
> INTERNET --- WRT54GL ----- --- Clients
> --- Win2KServer
This requires some heavy NAT:ing of the traffic due to the clients and
server being on the same side of the router.
> On Wrt54Gl i have a rule to make a DNAT all the webtraffic to
> Win2KServer to port
> 3128 except for the Win2kServer.
>
> The squid on Win2kServer appear to be working ok. But when the clients
> open their browser, i get an error from squid. The squid access.log
> show:
> error:invalid-request
Have you configured squid.conf properly for transparent interception?
> And only show the IP of the WRT54GL and not the real IP of the Clients.
Yes, that's because you NAT the traffic in the WRT54GL. The routing
would not work at all if the router did not masquerade the source IP in
the above setup as the return traffic from the server neet to be routed
via the router when using NAT. (the above is a so called loopback NAT
setup)
What you can do is to move the server to a DMZ zone.
INTERNET --- NATROUTER ---- CLIENTS
|
|
Server
this avoids the loopback, and allows traffic to be NAT:ed on one side
only, making the client IP available to the server.
Regards
Henrik
Attachment:
signature.asc
Description: This is a digitally signed message part
