On 01.03.2012 23:41, Mustafa Raji wrote:
--- On Thu, 3/1/12, Amos Jeffries wrote:
From: Amos Jeffries
Also you said "using mikrotik dnat rule". Does that mean
your NAT is being done by the Mikrotik instead of the Squid
box? that is bad. Use policy routing or WCCP to push the
packets unchanged to the Squid box instead.
Amos
thank you for your reply
the mikrotik is used just to redirect traffic from client to squid on
port 80, the squid box is receiving the packet from the mikrotik on
port 80,to be more clear i used rule to redirect tcp packet from
client on port 80 (using mikrotik dnat) to squid box on port 80 to,
Ah, I thought so. Mikrotik has erased the destination IP information
during its DNAT. Squid is a separate box without access directly into
the Mikrotik kernel RAM, so Squid has no way to know what destination IP
should be connected to to fetch the request.
When you upgrade your Squid away from 3.1 it will start complaining
about "Host header forgery" and dumping traffic.
Squid 3.1 will let the traffic through without complaints, but then use
DNS to pick a random new destination IP for the site (breaking load
balancing) and add fake IP address information to your access.log
(breaking any monitoring/reporting you might want to do). For example;
your earlier log showed a client IP of 192.168.40.1 when that is not the
real client, but only the Mikrotik.
You would do well to start looking into other ways to *route* packets
than DNAT redirect on the Mikrotik. I know it is not hard, routing is a
basic features and there are others doing policy routing or WCCP on
Mikrotik for the same setup you have. The benefits you will get are
worth a small amount of trouble finding out how to do it properly from
the start.
alteration for the destination ip only, altering tcp port not
included
in the mikrotik it's done in the squid box.
outgoing ip you squid uses ?
we can say itis the ip of the squid in my situation (source ip from
squid outgoing packets) , is this right ?
Yes.
Since you have DNAT on the Mikrotik the Squid also needs bypassing
there, in the same way.
if this is right why i need rule to accept the packet that comming
from my squid box, and my iptables default policy is accept so this
packet is accepted by default , why i need such rule ?
Because PREROUTING and NAT is applied to both incoming and outgoing
packets. And because the default policy is a default. It only applies
when no rule like your DNAT one is present and catching the packets
first.
Amos