Hi folks,
I would like to route HTTP traffic from my OpenBSD gateway
to a dedicated host running squid 3.1 on Linux for interception.
Here is a picture:
/|\ 87.189.95.69
|
|
em0 |
+--------+--------+
| OpenBSD Gateway |
+--------+--------+
em1 |172.99.96.4
|
|172.99.96.50
| +-------------------+
+-------| Linux Squid Proxy |
| +-------------------+
|
| +-------------+
+-------| HTTP Client |
172.99.96.156 +-------------+
The iptables code on
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
was very helpful for small files, but for a large download
on a slow line the http client prints "connection reset by
peer" after 30+ secs, and terminates.
The state information on the OpenBSD gateway shows
em1 tcp 87.189.95.69:80 <- 172.99.96.156:45848 CLOSED:SYN_SENT
em1 tcp 87.189.95.69:80 <- 172.99.96.50:51229 ESTABLISHED:ESTABLISHED
em0 tcp 80.149.209.55:64755 (172.99.96.50:51229) -> 87.189.95.69:80 ESTABLISHED:ESTABLISHED
immediately after the connection has been opened.
The line with "CLOSED:SYN_SENT" goes away when the
client gets the ECONNRESET.
30 seconds is the default timeout for removing entries
from OpenBSD's statefull inspection table. Is it possible
that the squid proxy did not complete the TCP handshake
via the gateway, but by using the direct connection to the
client?
Any helpful comment would be highly appreciated.
Regards
Harri
