On 3/05/2013 11:50 a.m., John Yoon wrote:
The NAT operation *MUST*, absolutely *MUST*, be performed on the Squid box and nowhere else on the path between Squid and clients.
I am buying a new router that has enough ROM and RAM to support
openwrt + squid, for the security reasons and also because my
ARM-based server does not have a proper 'iptables' available. Thanks
for that emphasis. I re-read the original post and saw that you also
point out that the dd-wrt wiki page is wrong. It was very confusing
for me as not only the wiki-page, but several blog pages posted
how-to's that attested aforementioned setup worked. One post were less
than a year old!
The configuration for OpenWRT device is in fact a completely different setup
There is section called 'When Squid is in a DMZ between the router and
Internet' which is exactly what 'Ethan H' was trying to achieve. And
you responded.
The kernel routing layer does the routing based on the firewall markings
It Is the reason why OpenWRT works but not DD-WRT? Due to the
difference in the kernel routing layer? Or does the same rule apply
and NAT operation *Must* be performed for OpenWRT as well?
They should be the same. The "must" is because of how NAT changes the
packet.
The difference is in which particular Squid version the blogger is
using, some say "3.2" without explaining it was an old beta release
before the final security patches were in., or even just "Squid" meaning
3.1 or older.
On Wed, May 1, 2013 at 6:40 PM, Amos Jeffries-2 wrote:
On 2/05/2013 10:23 a.m., prometheus wrote:
Were you able to get this to work? I am having the same problem.
The problem is that DNAT whenever used *erases* critical information
which Squid-3.2+ require. The NAT operation *MUST*, absolutely *MUST*,
be performed on the Squid box and nowhere else on the path between Squid
and clients.
Please go back and re-read the "outline" section on
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat for
details on DNAT configuration.
The configuration for OpenWRT device is in fact a completely different
setup, which is one of the cases detailed in
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute.
Amos
________________________________
If you reply to this email, your message will be added to the discussion
below:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Interception-Proxy-3-3-tp4659288p4659755.html
To unsubscribe from Squid Interception Proxy (3.3), click here.
NAML
