On 20/01/2012 1:11 p.m., Tim Fletcher wrote:
On Thu, 2012-01-19 at 14:37 -0300, Sebastian muniz wrote:
Reading at squid site, looks like NATting outgoing connections to a
squid running on an other box is not a good idea.
Questions:
What is the suggested way to implement this scenario?
How can I get rid of the loop?
I use this script to transparently proxy on a box that isn't the
firewall using a combination of iptables to set a mark and then iproute
to change the default GW for packets with that mark set.
The idea is that we first of all accept packets from the proxy so they
don't get marked, and then we mark all packets going to port 80 and then
redirect them to the proxy.
Called "policy routing" and documented in the Squid wiki interception
configs under that name.
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
On the proxy host you will need to accept and redirect the packets to
the squid port.
iptables -A PREROUTING -d 192.168.1.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
You are missing "-t nat" on those rules.
Amos
