can you give the the iptables rule ? :( On Fri, Aug 22, 2008 at 10:50 AM, Michael Alger <squid@xxxxxxxxxxx> wrote: > On Fri, Aug 22, 2008 at 10:07:53AM +0700, ????????? ????z??up?????? ??z?????? ????????? wrote: >> ## Forward port 80 ke mail server >> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.119 >> --dport 80 -j DNAT --to-destination 172.16.0.2 > > This looks like you're redirecting from your external interface's > port 80 to another server. Presumably there's nothing listening on > port 80 on your DMZ server? > >> problem : >> i cant browse to my-sub.domain.ext from network >> but i can browse my-sub.domain.ext from external ( other place ) >> >> The following error was encountered: >> >> * Connection to 202.169.51.119 Failed >> >> The system returned: >> >> (111) Connection refused > > Your proxy is connecting from a different interface (eth2 I think) > and therefore the connection to port 80 is not being redirected to > the mail server. You *may* be able to solve this by also redirecting > the connection from your proxy server, but you'll also need to use > source NAT so your mail server's www service sends its replies to > your DMZ server. Without the SNAT, the mail server will reply > directly to the proxy server, and that will confuse the proxy > because it thinks it's talking to your external IP. > > The other common solution to this problem is to use so-called "split > horizon DNS", whereby you have internal DNS servers which return the > internal address (i.e. my-sub.domain.ext will resolve to 172.16.0.1, > rather than your external IP) but your external DNS servers will > return your external address. That way your clients inside the > network get the correct address. > > Depending on how your squid is doing DNS lookups, you may be able to > add an entry to the /etc/hosts file on your proxy server and then > explicitly configure the proxy for your clients. If that works this > might provide an acceptable short-term solution. > -- -=-=-=-=
