Hello list,
I'm approaching you with a question regarding intercept proxying and IPv6. I have a working IPv4 setup that redirects port 80 traffic to a port that Squid is listening on:
-A PREROUTING -s <source-net> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports <squid-port>
When I try to duplicate this behaviour on IPv6 side, it does not work. This does not seem to be an ACL issue as the symptoms are the same even with an all-allowing ACL, and because I'm unable to get even an "access denied" error from Squid. I can reach the IPv6 Squid port by accessing it directly from the local machine.
Also, if the REDIRECT is changed to a DNAT, the behaviour is identical (i.e. not working):
-A PREROUTING -s <source-net> -p tcp -m tcp --dport 80 -j DNAT --to-destination [<squid-ip>]:<squid-port>
By looking at ip6tables packet counters and tcpdump I have come to a conclusion that a SYN packet hits the REDIRECT rule, but even if it ever reaches Squid, it looks as if Squid is ignoring it and not returning anything. Enabling debug sections 5 and 89 show nothing in cache.log while the connection establishment is supposed to be happening. While trying to figure out what is going on, I also tried the following in an attempt to rule out e.g. firewall restrictions causing the failure (this works, TCP handshake occurs and a web page is returned):
-A PREROUTING -s <source-net> -p tcp -m tcp --dport 80 -j DNAT --to-destination [<external-ip>]:80
Does anyone here have experience with anything resembling the above? Any advice would be appreciated.
Joni
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
