Search squid archive

Re: transparent proxy original_dst err

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


21.04.15 17:20, Amos Jeffries пишет:

On 21/04/2015 10:44 p.m., jaykbvt wrote:

Hi,
My squid is configured in interception mode with

http_port 3130
http_port 3129 intercept

squid is running with single network card. request comes from the Cisco ISG
and internet is also allowed from the same Cisco ISG only.

I think the Cisco is doing NAT and erasing the original dst-IP value
from the client TCP packets. The problem needs to be fixed there (by not
NAT'ing on the Cisco).
Using NAT onto backoffice Cisco is not good idea. Usually, NAT only using on front router. 




IPtables has been configured with following
squidip = 10.58.200.33
squid port = 3129
====================
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
10.58.200.33:3129
====================


This above iptables NAT is changing something:80 to 10.58.200.33:3129.

When things are configured right the something is the origin web servers
IP the client was contacting. And the NAT un-mangling operation in Squid
converts the 10.58.200.33:3129 back to something:80.

NOTE: there are other iptables rules needed to prevent the from-Squid
traffic being looped back, and attackers contacting the Squid listening
port. But your proxy is not getting that far yet. So this is just a
heads-up for now.



Given bellow are entries in cache.log

+++++++++++++++++++++++++++++++++++
2015/04/21 15:50:20.576 kid1| client_side.cc(3412) httpAccept:
local=10.58.200.33:80 remote=10.210.83.249:3375 FD 10 flags=33: accepted

This is the connection info *after* the iptables NAT mangling is
un-done. The 10.58.200.33:3129 has succesfully been converted back into
something:80.

Unfortunately that something:80 dst-IP addresc received from the Cisco
was "10.58.200.33:80" as you can see in the local= parameter above.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux