On Tue, 4 Aug 2009 17:01:45 -0700 (PDT), casket88 <jamespeek@xxxxxxxxxxxxxxxx> wrote: > Hi, > > We have several interconnected branches on their own networks. I would like > to shut off web access directly from all branches except head office. > > We have an Untangle gateway configured as a transparent bridge at head > office that all traffic passes through. I would like to keep on using this > for content filtering and logging. However I want a Squid server to be able > to accept connections from our branches, use its caching and then redirect > it out through the Untangle gateway for loggin. We will be redirecting all > web traffic on our Cisco routers at each branch to the proxy server. > > I have Squid set up to allow connections from all our internal networks and > set up IPtables with the following command: > > ptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT > --to-port > 3128 > > This all works fine and I am able to surf throguh the proxy, which appears > to be caching correctly and forwarding it to our gateway which performs the > content filtering and logging. The only problem is that through the NAT > process the source IP address is replaced with that of the Squid's and is > logged accordingly. Yes. This is how NAT operates. > > How would I go about configuring Squid to accept connections, cache them > and > then forward the request on to the webserver via the gateway WITHOUT > replacing the source IP address? Get rid of NAT and use TPROXY for the capture instead. > > In summary: user requests connection to website on port 80, request > transparently redirected to Squid on Cisco router, Squid accepts it and > forwards it to webserver through gateway. NP: Your word 'transparently redirected' appears to mean 'routed' in that paragraph. Please use the word 'transparent' less /rant. Amos
