On 10/14/07, rbw <[EMAIL PROTECTED]> wrote: > I have a router running DD-WRT and I needed to > do transparent proxy for local network clients > where client port 80 requests that show up at > the router end up being sent to the CentOS > server running Squid also on the local network. > I got everything configured and running nicely > and I was looking at the Squid logs on the > CentOS server with a "tail -f > /var/log/squid/access.log" while thinking about > the next step of configuring and running > SquidGuard and I noticed something that seems > odd. All of the source IP's for all of the log > entries flying by for all the different > workstations are the IP of the router, not the > individual workstations. Here is the page with > the iptables instructions I used: > http://www.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy > (works very well, note that you have to escape > the variable references as well as the dbl > quotes as mentioned to get it into the DD-WRT > firewall) > > In SquidGuard I will want to have the ability to > fashion acl rules by IP number but as things are > now all SquidGuard is going to see is the source > IP which is always the router IP where the > workstations got NAT'd... > e.g. > 1192406978.122 80 192.168.84.1 TCP_MISS/200 > 3388 GET http:// ... DIRECT/... image/jpeg > 1192407186.460 9 192.168.84.1 > TCP_MEM_HIT/200 1410 GET http://... NONE/... > image/png > (every single entry is of source 192.168.84.1, > the IP of the router) > > Anyone have any thoughts/tips on how to send the > IP of the originating workstation to Squid > rather than being NAT'd and showing up at Squid > with the IP translated into the router's IP? Is > this even a possible outcome?(it has been a > while since I chopped my way through iptables > like this). > > TIA, > rbw > > > -- > [email protected] > http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list > Hmm, not familiar with squidguard, but a few random thoughts: Do you have to nat the IP addresses to the outside router interface IP address? If you can just forward them without NAT'ing them, the source and destination addresses will stay the same.
If you are only creating acl rules for certain machines, what about specifying iptables rules on the PREROUTING chain or POSTROUTING chain specific to the IP numbers for the machines you want to create acls for and NATing all the rest? I think there is a "not" option(!) for the source and destination IP addresses in iptables. -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
