On 21/04/2015 10:44 p.m., jaykbvt wrote: > Hi, > My squid is configured in interception mode with > > http_port 3130 > http_port 3129 intercept > > squid is running with single network card. request comes from the Cisco ISG > and internet is also allowed from the same Cisco ISG only. I think the Cisco is doing NAT and erasing the original dst-IP value from the client TCP packets. The problem needs to be fixed there (by not NAT'ing on the Cisco). > > IPtables has been configured with following > squidip = 10.58.200.33 > squid port = 3129 > ==================== > iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to > 10.58.200.33:3129 > ==================== > This above iptables NAT is changing something:80 to 10.58.200.33:3129. When things are configured right the something is the origin web servers IP the client was contacting. And the NAT un-mangling operation in Squid converts the 10.58.200.33:3129 back to something:80. NOTE: there are other iptables rules needed to prevent the from-Squid traffic being looped back, and attackers contacting the Squid listening port. But your proxy is not getting that far yet. So this is just a heads-up for now. > Given bellow are entries in cache.log > > +++++++++++++++++++++++++++++++++++ > 2015/04/21 15:50:20.576 kid1| client_side.cc(3412) httpAccept: > local=10.58.200.33:80 remote=10.210.83.249:3375 FD 10 flags=33: accepted This is the connection info *after* the iptables NAT mangling is un-done. The 10.58.200.33:3129 has succesfully been converted back into something:80. Unfortunately that something:80 dst-IP addresc received from the Cisco was "10.58.200.33:80" as you can see in the local= parameter above. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
