On Tue, 6 Dec 2011 21:05:27 +0700, Nguyen Hai Nam wrote:
Hi Edmonds,
That's really like my setup right now. But, as Amos said, the traffic
just pass from eth0 to eth1 but don't come to Squid, because it's
bridged. Actually, when watching IP nat table, I still found some nat
rules show up, but at client-side it still looks direct access. And
more strange, if I use an other linux box from LAN to check out by
curl -I http://something.com/ it's returned the header fields that
has
"Via: 1.1 (squid 3.2)". I have no idea why.
Hold up. This sounds like it actually *is* working. Possibly you just
have some rule that works for one client or subnet but not another.
From the client it *does* look like direct access. This is IMO why
people seems to confuse it with transparent proxy. Only with intercept
the server sees the Squid IP as the source.
With a bridging box there are four components that have to be
configured properly:
- bridging rules (on Linux ebtables) must DROP the packets off the
bridge logic as they go through the bridge machine (ie they enter the
machine and *do not* get bridged, they must stay local to that box).
- NAT rules, to pass the packets to Squid *after* they are 'dropped'
off of the bridge logic.
- routing rules, to properly route the squid outbound packets to the
network gateway (and back).
- firewall & security limits, to permit any LAN packets to be handled
by the bridge box locally. Also to permit the squid<->server traffic
in/out.
You will notice these are all the same requirements (and configuration)
as required for a routing box but with ebtables/bridging added on top.
Amos
At this moment, I still don't find more documentation from IPfilter
for deeper discovery.
~ Neddie
On Tue, Dec 6, 2011 at 12:03 PM, Edmonds Namasenda
<namasenda@xxxxxxxxx> wrote:
Hai,
Seems your network set-up is what might be ruining your connection
expectations or the "default gateway" needs a rule (possibly using a
firewall) to direct all HTTP traffic to the squid box rather than to
the internet.
Otherwise, think of the set-up below (with the Squid box the same as
the Gateway)
Internet Router >> Eth0 |- Squid box & Default Gateway -| Eth1
Switch >> LAN
# Edz.
On Mon, Dec 5, 2011 at 5:14 PM, Nguyen Hai Nam <nam.nh@xxxxxxxx>
wrote:
Hi Amos,
You're right, switch is not really true.
But I still can't find the way on Solaris-like system like
/proc/sys/net/bridge
On Mon, Dec 5, 2011 at 7:25 PM, Amos Jeffries
<squid3@xxxxxxxxxxxxx> wrote:
>
>
> "Like a switch"? or or did you really mean "like a bridge"?
>
> * switch ... no solution. Switches do not perform the NAT
operations
> required for interception. They also don't run software like
Squid, so I
> think this is a bad choice of word in your description.
>
> * bridge ... requires dropping packets out of the bridge into the
routing
> functionality. See the bridge section at
>
http://wiki.squid-cache.org/Features/Tproxy4#ebtables_on_a_Bridging_device
>
> Amos
