Hi Amos,
El 18/07/2014 5:21, Amos Jeffries escribió:
On 18/07/2014 7:25 a.m., Nicolás wrote:
Ok, I'll try to explain the scenario again and more detailed (I remark
that I'm using this guide which states that it should work for public IP
addresses: http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource):
Client side: Has public IP address A.B.C.D
Server side: Has public IP address E.F.G.H
On the client side, I added the following iptables rule:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
E.F.G.H:3128
Okay. The situation seems clear now. This rule is capturing both the
client UA output traffic and Squid output traffic.
You need the rule omitting Squid from being catured. The config example
should have mentioned it, I have added that now.
iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport
80 -j ACCEPT
Note the one you tried earlier and failed was in PREROUTING, not OUTPUT.
This should be the correct one.
Unfortunately, this one neither seems to make a difference. On the squid
box, the squid daemon is run by user proxy so I got the UID and replaced
it in the rule you provided:
# id proxy
uid=13(proxy) gid=13(proxy) groups=13(proxy)
So on the client box:
iptables -t nat -A OUTPUT --match owner --uid-owner 13 -p tcp
--dport 80 -j ACCEPT
Then I appended the DNAT rule.
However, I should have (re)mentioned it: Additionally to have different
public IP addresses, both the client box and the squid box are on
different networks (basically the squid box is located in a different
country than the client box). Should that make a difference?
Additionally, the UID 13 corresponds to the squid box, should that work
even if on the client box UID 13 corresponds to a different user?
Also if you wish, I can run squid with the -N -d options and send you
the output log, so you probably will rapidly know what else could be
happening there.
Regards,
Nicolás
NP: you could also use REDIRECT instead of DNAT if you want to avoid
figuring out the server/client "side" IP address issues. But try the
above iptables rule in your existing config first to confirm if it works
before moving on to that change.
<snip>
access.log:
1405623902.957 0 A.B.C.D TCP_MISS/403 4300 GET
http://google.es/ - HIER_NONE/- text/html
1405623902.958 1 A.B.C.D TCP_MISS/403 4419 GET
http://google.es/ - HIER_DIRECT/E.F.G.H text/html
Note that these are in order of completion rather than order of
initiation. The second line is the first request (cleint->server
intercepted into Squid) the first line is the squid->server looped request.
Amos
