Dnia 15-03-2010 o godz. 18:00 Hubert Choma napisał(a): > Dnia 15-03-2010 o godz. 14:42 Henrik Nordström napisał(a): > > mĂĄn 2010-03-15 klockan 14:00 +0100 skrev Hubert Choma: > > > > > iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT > > > --to-port 8080 > > > It's correct iptables rule ? > > > > Is eth0 the interface where clients traffic is arriving? > > > > If you are using wccp then the interface is usually a gre interface, not > > ethx.. > > > > Regards > > Henrik > > Hello Henrik Thanks for help ! > > I don't use WCCP eth0 its interface for WAN. Yes You have got right when > eth0 is set then my site doesn't work from WAN side and LAN side. I > changed it from eth0 to eth1 > > iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > but sites are loading very long !! > > My topology > UTM Router 192.168.1.1----->eth0 192.168.1.2 (services for WAN > apache,FTP)---->eth1 192.168.0.1(on eth1 works squid 192.168.0.1:8080 as > transparent proxy)---LAN XP clients 192.168.0.0/24 > So I have 2 NAT : > First UTM router > SECOND Linux (Centos Router with - apache ftp and squid services) > I would like to setup squid as transparent proxy for lan clients. > > I have a few doubts : > 1) squid uses dns from resolv.conf so I have 3 nameservers > nameserver 194.204.152.34 first dns from internet provider (DSL) > nameserver 194.204.159.1 second dns > nameserver 192.168.1.1 (UTM router) > > My public IP 83.18.17.30 is assigned to domain geodezja.wolomin.pl > so what entries should i use to /etc/hosts ? Centos machine hostname is > proliant. > I have 2 Nics and 1 hostname=proliant so i think maybe it is a problem > with correct resolve of internal LAN names. Look at my /etc/hosts > > How they should look like valid entries for the ProLiant machine with 2 > NICS ?? > > # Do not remove the following line, or various programs > # that require network functionality will fail. > 127.0.0.1 localhost.localdomain localhost proliant > 192.168.1.2 proliant > 192.168.0.1 proliant.geodezja.wolomin.pl proliant > #83.18.17.30 geodezja.wolomin.pl proliant > 192.168.0.2 sm2 > 192.168.0.3 sm3 > 192.168.0.4 sm4 > 192.168.0.6 sm19 > 192.168.0.8 sm9 > ::1 localhost6.localdomain6 localhost6 > > 2) Maybe its iptables problem ??????? > I still have error with /etc/init.d/squid start [failed] and in logs > there are no warnings or errors !? > > Sorry for my english > PLEASE HELP! I noticed a worrying thing! Yesterday I installed squid on my machine at home Centos 5.4. By default, I was installed squid 2.6 from the Centos repository squid 2.6. 1) I did uninstall "yum remove squid" . 2) I have downloaded from http://people.redhat.com/~jskala/squid/ squid 2.7 Stable-1.el5 3) remove /etc/squid/ , /var/log/squid , /var/spool/squid 4) yum localinstall --nogpgcheck squid-2.7.STABLE7-1.el5 5) I had to create /var/log/squid/run directory manually for squid .pid file permissions 776 owner and group squid [root@proliant squid]# ls -al drwxr-x--- 3 squid squid 4096 mar 15 12:55 . drwxr-xr-x 19 root root 4096 mar 16 04:05 .. -rw-r----- 1 squid squid 340215 mar 15 20:20 access.log -rw-r----- 1 squid squid 153839 mar 14 04:02 access.log.1.gz -rw-r----- 1 squid squid 761563 mar 15 23:07 cache.log drwxrwxrw- 2 squid squid 4096 mar 15 23:07 run 6) squid -z 7) iptabpes -A INPUT -p tcp --dport 8080 -j ACCEPT (and another rule for port 80) 8) service squid start show [FAILED] AND I RECEIVE ERROR !! THE SAME LIKE IN MY PRODUCTION SERVER !!!! service squid status show running !! But service squid restart: Zatrzymywanie squid: [ OK ] Uruchamianie squid: [NIEUDANE] [root@proliant /]# NIEUDANE = FAILED All of above things are made from root account. In cache.log there is no warnings or errors ! What's going on ? How can I track error ? How can I find an error or the cause of the error?? squid -X show nothing wrong. What am I doing wrong? My iptables #!/bin/sh modprobe ip_nat modprobe ip_conntrack_ftp modprobe ip_conntrack iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT #iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT #Udostępnienia RDP iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.6:3389 iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT #Udostepnienie DraytekSyslog iptables -t nat -I PREROUTING -p udp -i eth0 -d 0/0 --dport 514 -j DNAT --to 192.168.0.6 iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 514 -j ACCEPT iptables -t nat -I PREROUTING -p udp -i eth0 -d 0/0 --dport 513 -j DNAT --to 192.168.0.6 iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 513 -j ACCEPT # SERVICES FOR WAN (eth0 =httpd,ftp,ssh,postgres) iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 5432 -j ACCEPT iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 9999 -j ACCEPT iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 21 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT #DNS INPUT iptables -A INPUT -p udp -s 194.204.152.34/32 --source-port 53 -d 0/0 -j ACCEPT iptables -A PREROUTING -t nat -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to-source 192.168.1.2 I noticed that when I type : iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 clients from WAN (internet side) can't connect to my site on apache (all traffic 80 is redirected to squid but I need httpd to work on 80 on eth0, squid works on eth1) I add -s 192.168.0.0./24 iptables -A PREROUTING -t nat -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 now clients connect to my site but connection to internet from LAN to WAN is very slow. I think it was creating a strange loop ?? PLEASE HELP!!
