On 13/11/17 01:25, snable snable wrote:
Access.log brings for www.heise.de on https NECT 192.168.1.222:443 <http://192.168.1.222:443> - HIER_NONE/- - 1510489280.731 2 192.168.1.200 NONE/200 0 CO NNECT 192.168.1.222:443 <http://192.168.1.222:443> - HIER_NONE/- - 1510489280.836 1 192.168.1.200 TCP_MISS/503 4691 GET https://www.heise.de/ - ORIGINAL_DST/192 .168.1.222 text/html
ORIGINAL_DST is the server IP your system NAT tables say the client is connecting to.
So the above means the NAT system is intercepting the client at 192.168.1.200 connecting to the webserver at 192.168.1.222:443.
Am 12.11.2017 12:46 schrieb "snable snable" wrote: hey thanks: i post in detail i have an openwrt box. clients are attached there to the 192.168.2.0/24 <http://192.168.2.0/24> network via nat. i attached the router as a wan device on my 192.168.1.0/24 <http://192.168.1.0/24> with 192.168.1.254 as my internet gateway. i have a squidbox with squid 4 running on ports 3128 and 3129 and 3130. i forward the traffic from the openwrt via: iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s 192.168.1.222 iptables -t mangle -A PREROUTING -j MARK --set-ma rk 3 -p tcp --dport 80 iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 443 -s 192.168.1.222 iptables -t mangle -A PREROUTING -j MARK --set-ma rk 3 -p tcp --dport 443 ip rule add fwmark 3 table 2 ip route add default via 192.168.1.222 dev eth0.2 table 2 on the squid box redirected it via iptables -A PREROUTING -t nat -i eth0 -p tcp --dp ort 443 -j REDIRECT --to-port 3129 iptables -A PREROUTING -t nat -i eth0 -p tcp --dp ort 80 -j REDIRECT --to-port 3128
There are no rules above preventing the NAT system intercepting the Squid outbound traffic.
Please see the iptables rules documented at: <https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>.
-j ACCEPT in the *mangle* table only means iptables does not do your MARKing. It has no effect on these NAT table operations.
Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users