On 30/08/2012 10:23 p.m., Pawel Mojski wrote:
W dniu 30-Aug-12 11:13, Eliezer Croitoru pisze:
as i said you must change the DNAT rule and be more explicit because
it will cause a loop when squid tries to read port 80 it will be
dnated to itself.
since these squid versions you are talking about are at my sleeve it
must be the reason.
Eliezer,
As i mentioned before, the problem isn't on gateway or redirection.
The problem is in new imprementation of "transparent" proxy type in
squid 3.2.
In 3.1 version when client connected to transparent port, squid was
read Host: header, then resolve hostname to ip address and connect to
resolved ip addres.
Causing a major security vulnerability in the process. The vulnerability
has now been fixed in 3.2. Resulting in....
In 3.2 version squid reads destination address from tcp SYN packet
then connect to this ip address.
NOTE: that only happens IF, the Host header domain does not match the
SYN packet destination IP address. Or client_dst_passthru is turned ON
(default).
Given that Squid is finding its own IP in the SYN packet, config options
are not going to fix it magically back to a remote domain IP. In
preparation for this change in 3.2 I've been saying (and documenting
everywhere possible) for over two years now that when intercepting
traffic into Squid the NAT *MUST* be performed on the Squid box. Use
normal packet routing ("policy routing") in external devices to forward
the packets at the Squid box properly then do the NAT there.
See your router vendors documentation for details on policy routing
configuration. We supply
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
written specifically for LInux routers or similar WRT home-user devices
if you are dealing with those.
So, when transparent is implemented as "REDIRECT" squid receive
original tcp SYN packet and have original destination address, so
squid are able to connect to original destination server.
When transparent is implemented as "DNAT", original destination
address is replaced by DNAT address and DNAT address is a squid
addres, so squid are trying to connect to itself.
And that's why I have a problem. I have to force squid to use old
(like in 3.1) transparent connection mechanism.
No. You just need the NAT to happen on the Squid box. That way Squid has
access to the pre-NAT IP address and will un-NAT the server traffic back
to the original destination after filtering.
FYI: DNAT and REDIRECT are almost identical. The only behaviour
difference is that DNAT requires a static fixed-IP and REDIRECT uses the
box primary IP (suitable for DHCP assigned machines, such as a drop-in
proxy device).
Amos
