On 21/02/2017 10:25 a.m., Eliezer Croitoru wrote: > And just wanted to add a note that some Linux machines will act as an > HUB\BRIDGE by default in a similar scenario(will not drop > packets..). I noticed it while working on some tiny lab and it's > better to have the linux machine with ipv4_forward turned on with an > iptables DROP rule rather then without(with some distros and some > specific kernels). Nod. If the machine is working as a true bridge then the packets will not be going to Squid. It still needs the routing rules to route the packets from its bridge interface to Squid, and from Squid to its bridge outerface. Or for that matter to pass them from the bridge inter/outerfaces and the NAT system. Amos > > Eliezer > ---- > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: eliezer@xxxxxxxxxxxx > > > -----Original Message----- > From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries > Sent: Friday, February 17, 2017 3:59 PM > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: Squid on separate box and it can't see packets > > On 15/02/2017 9:18 a.m., John Pearson wrote: >> Hi, >> >> Is this squid box a router or just a proxy? >> - just a proxy > > There is the first problem. > > NAT interception needs the machine Squid is running on to be configured > to operate as a router. It will be receiving packets destined to a > machine other than itself. > >> >> What tcpdump command did you ran? >> - sudo tcpdump -i eth0 >> >> What is the networks that are involved? >> Setup: >> >>> Client (192.168.1.8) ---> | Rotuer | >>> | gateway/dhcp | ---> >>> Internet >>> Squid box (192.168.1.2) ---> | 192.168.1.1 | >> >> >> Here Client (debian), squid (debian) and router are three separate devices. >> > > So the Squid machine; > > requires this bit you did: > <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect> > > PLUS the system TCP stack controls to turn it from a origin-server host > to a routing host. Otherwise the machine will silently drop packets not > destined to itself. > > > The router machine requires this: > <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#When_Squid_is_Internal_amongst_clients> > > The router machine probably also needs the "Routing Setup": > <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#Routing_Setup> > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
