Amos Jeffries-2 wrote: > > On Tue, 4 Aug 2009 17:01:45 -0700 (PDT), casket88 > <jamespeek@xxxxxxxxxxxxxxxx> wrote: >> Hi, >> >> We have several interconnected branches on their own networks. I would > like >> to shut off web access directly from all branches except head office. >> >> We have an Untangle gateway configured as a transparent bridge at head >> office that all traffic passes through. I would like to keep on using > this >> for content filtering and logging. However I want a Squid server to be > able >> to accept connections from our branches, use its caching and then > redirect >> it out through the Untangle gateway for loggin. We will be redirecting > all >> web traffic on our Cisco routers at each branch to the proxy server. >> >> I have Squid set up to allow connections from all our internal networks > and >> set up IPtables with the following command: >> >> ptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT >> --to-port >> 3128 >> >> This all works fine and I am able to surf throguh the proxy, which > appears >> to be caching correctly and forwarding it to our gateway which performs > the >> content filtering and logging. The only problem is that through the NAT >> process the source IP address is replaced with that of the Squid's and is >> logged accordingly. > > Yes. This is how NAT operates. > >> >> How would I go about configuring Squid to accept connections, cache them >> and >> then forward the request on to the webserver via the gateway WITHOUT >> replacing the source IP address? > > Get rid of NAT and use TPROXY for the capture instead. > >> >> In summary: user requests connection to website on port 80, request >> transparently redirected to Squid on Cisco router, Squid accepts it and >> forwards it to webserver through gateway. > > NP: Your word 'transparently redirected' appears to mean 'routed' in that > paragraph. Please use the word 'transparent' less > /rant. > The useage of the word "transparent" is in reference to the users, it is transparent to them. Transparent is a good word, I think I'll use it more. Regardless, I will look in to TPROXY. Thanks. -- View this message in context: http://www.nabble.com/Squid---Not-replace-source-IP-address-tp24818364p24818555.html Sent from the Squid - Users mailing list archive at Nabble.com.
