RE: [squid-users] client ip's
Hum I got some news on this, I don't know why my system started to give me this information: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0 * 255.255.255.0 U 0 00 eth0 192.168.0.0 * 255.255.255.0 U 0 00 eth1 default localhost 0.0.0.0 UG0 00 eth1 Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 0.0.0.0 192.168.0.254 0.0.0.0 UG0 00 eth1 The fact is that the hosts file is correct: cisne:~# cat /etc/hosts 127.0.0.1 localhost I only have this there I know this is not squid related but if you guys can give me a hand. I have no idea why is it resolving 192.168.0.254 to localhost. -Original Message- From: Jorge Bastos [mailto:[EMAIL PROTECTED] Sent: sábado, 5 de Abril de 2008 21:23 To: 'Henrik Nordstrom' Cc: 'Amos Jeffries'; squid-users@squid-cache.org Subject: RE: [squid-users] client ip's This already worked with some of the 3.0 versions. Gonna try to play with my iptables rules and let you guys know. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: sábado, 5 de Abril de 2008 19:38 To: Jorge Bastos Cc: 'Amos Jeffries'; squid-users@squid-cache.org Subject: RE: [squid-users] client ip's lr 2008-04-05 klockan 14:24 +0100 skrev Jorge Bastos: I updated to last STABLE-4 on debian, but this still happens this way. What can I do more? Good question. One thing you can try is to downgrade to Squid-2.6. If that shows the same symptoms the problem is not within Squid but most likely in your firewall ruleset or something else relevant to how the connections end up at your Squid. Regards Henrik
RE: [squid-users] client ip's
Jorge: have you set the network properly? Are you using 192.168.x.x net. The network parameter must be wrote in ../ifcfg-eth0 and ../ifcfg-eth1 file (because I suspect that you have two nics). The route command shows some aspect of your network configuration. Julián --- Jorge Bastos [EMAIL PROTECTED] wrote: Hum I got some news on this, I don't know why my system started to give me this information: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0 * 255.255.255.0 U 0 00 eth0 192.168.0.0 * 255.255.255.0 U 0 00 eth1 default localhost 0.0.0.0 UG 0 00 eth1 Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 00 eth1 The fact is that the hosts file is correct: cisne:~# cat /etc/hosts 127.0.0.1 localhost I only have this there I know this is not squid related but if you guys can give me a hand. I have no idea why is it resolving 192.168.0.254 to localhost. -Original Message- From: Jorge Bastos [mailto:[EMAIL PROTECTED] Sent: sábado, 5 de Abril de 2008 21:23 To: 'Henrik Nordstrom' Cc: 'Amos Jeffries'; squid-users@squid-cache.org Subject: RE: [squid-users] client ip's This already worked with some of the 3.0 versions. Gonna try to play with my iptables rules and let you guys know. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: sábado, 5 de Abril de 2008 19:38 To: Jorge Bastos Cc: 'Amos Jeffries'; squid-users@squid-cache.org Subject: RE: [squid-users] client ip's lr 2008-04-05 klockan 14:24 +0100 skrev Jorge Bastos: I updated to last STABLE-4 on debian, but this still happens this way. What can I do more? Good question. One thing you can try is to downgrade to Squid-2.6. If that shows the same symptoms the problem is not within Squid but most likely in your firewall ruleset or something else relevant to how the connections end up at your Squid. Regards Henrik __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [squid-users] client ip's
In fact I have 3 NIC's. Yes, the two interfaces I showed in the route print, are defined in /etc/network/interfaces. -Original Message- From: julian julian [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 10 de Abril de 2008 15:47 To: Jorge Bastos Cc: squid Subject: RE: [squid-users] client ip's Jorge: have you set the network properly? Are you using 192.168.x.x net. The network parameter must be wrote in ../ifcfg-eth0 and ../ifcfg-eth1 file (because I suspect that you have two nics). The route command shows some aspect of your network configuration. Julián --- Jorge Bastos [EMAIL PROTECTED] wrote: Hum I got some news on this, I don't know why my system started to give me this information: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0 * 255.255.255.0 U 0 00 eth0 192.168.0.0 * 255.255.255.0 U 0 00 eth1 default localhost 0.0.0.0 UG 0 00 eth1 Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 00 eth1 The fact is that the hosts file is correct: cisne:~# cat /etc/hosts 127.0.0.1 localhost I only have this there I know this is not squid related but if you guys can give me a hand. I have no idea why is it resolving 192.168.0.254 to localhost. -Original Message- From: Jorge Bastos [mailto:[EMAIL PROTECTED] Sent: sábado, 5 de Abril de 2008 21:23 To: 'Henrik Nordstrom' Cc: 'Amos Jeffries'; squid-users@squid-cache.org Subject: RE: [squid-users] client ip's This already worked with some of the 3.0 versions. Gonna try to play with my iptables rules and let you guys know. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: sábado, 5 de Abril de 2008 19:38 To: Jorge Bastos Cc: 'Amos Jeffries'; squid-users@squid-cache.org Subject: RE: [squid-users] client ip's lr 2008-04-05 klockan 14:24 +0100 skrev Jorge Bastos: I updated to last STABLE-4 on debian, but this still happens this way. What can I do more? Good question. One thing you can try is to downgrade to Squid-2.6. If that shows the same symptoms the problem is not within Squid but most likely in your firewall ruleset or something else relevant to how the connections end up at your Squid. Regards Henrik __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [squid-users] client ip's
tor 2008-04-10 klockan 09:22 +0100 skrev Jorge Bastos: Hum I got some news on this, I don't know why my system started to give me this information: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0 * 255.255.255.0 U 0 00 eth0 192.168.0.0 * 255.255.255.0 U 0 00 eth1 default localhost 0.0.0.0 UG0 00 eth1 What's the output of /sbin/ip route or /sbin/route -n Regards Henrik
RE: [squid-users] client ip's
The reference to 192.168.0.254 which are you looking when run route command is the default gateway.Your server is not resolving 192.168.0.254 to localhost. --- Jorge Bastos [EMAIL PROTECTED] wrote: In fact I have 3 NIC's. Yes, the two interfaces I showed in the route print, are defined in /etc/network/interfaces. -Original Message- From: julian julian [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 10 de Abril de 2008 15:47 To: Jorge Bastos Cc: squid Subject: RE: [squid-users] client ip's Jorge: have you set the network properly? Are you using 192.168.x.x net. The network parameter must be wrote in ../ifcfg-eth0 and ../ifcfg-eth1 file (because I suspect that you have two nics). The route command shows some aspect of your network configuration. Julián --- Jorge Bastos [EMAIL PROTECTED] wrote: Hum I got some news on this, I don't know why my system started to give me this information: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0 * 255.255.255.0 U 0 00 eth0 192.168.0.0 * 255.255.255.0 U 0 00 eth1 default localhost 0.0.0.0 UG 0 00 eth1 Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 00 eth1 The fact is that the hosts file is correct: cisne:~# cat /etc/hosts 127.0.0.1 localhost I only have this there I know this is not squid related but if you guys can give me a hand. I have no idea why is it resolving 192.168.0.254 to localhost. -Original Message- From: Jorge Bastos [mailto:[EMAIL PROTECTED] Sent: sábado, 5 de Abril de 2008 21:23 To: 'Henrik Nordstrom' Cc: 'Amos Jeffries'; squid-users@squid-cache.org Subject: RE: [squid-users] client ip's This already worked with some of the 3.0 versions. Gonna try to play with my iptables rules and let you guys know. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: sábado, 5 de Abril de 2008 19:38 To: Jorge Bastos Cc: 'Amos Jeffries'; squid-users@squid-cache.org Subject: RE: [squid-users] client ip's lr 2008-04-05 klockan 14:24 +0100 skrev Jorge Bastos: I updated to last STABLE-4 on debian, but this still happens this way. What can I do more? Good question. One thing you can try is to downgrade to Squid-2.6. If that shows the same symptoms the problem is not within Squid but most likely in your firewall ruleset or something else relevant to how the connections end up at your Squid. Regards Henrik __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [squid-users] client ip's
People,
I updated to last STABLE-4 on debian, but this still happens this way.
What can I do more?
Jorge
-Original Message-
From: Jorge Bastos [mailto:[EMAIL PROTECTED]
Sent: quinta-feira, 3 de Abril de 2008 9:56
To: 'Amos Jeffries'
Cc: 'Henrik Nordstrom'; squid-users@squid-cache.org
Subject: RE: [squid-users] client ip's
Hum, the last one's on debian.
They were 3.0 PRE-X, but don't remember the number.
-Original Message-
From: Amos Jeffries [mailto:[EMAIL PROTECTED]
Sent: quinta-feira, 3 de Abril de 2008 6:08
To: Jorge Bastos
Cc: 'Henrik Nordstrom'; squid-users@squid-cache.org
Subject: Re: [squid-users] client ip's
Jorge Bastos wrote:
The rule I use to redirect traffic from 80 to 8080 is:
I must remember, this was working before 3.0 stable1 or stable2
(not
using
stable2), I just saw this was happening now.
What version did you upgrade from?
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -
j
DNAT
--to-destination 192.168.1.1:8080
If squid is running on this same box I would recommend the REDIRECT
target instead of DNAT. It's less work for the kernel.
The other possible issue is that you have your redirection rule at
the
start of the NAT tables. The matching rule to allow squid traffic out
is
near the end.
Even if you keep DNAT, they should be in this order:
# allow squid traffic out okay.
iptables -t nat _A PREROUTING -s 192.168.1.1 -p tcp --dport 80 -j
ACCEPT
# redirect all other web traffic into squid.
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 8080
cisne:~# iptables-save -t nat
# Generated by iptables-save v1.4.0 on Wed Apr 2 17:12:25 2008
*nat
:PREROUTING ACCEPT [35:1650]
:POSTROUTING ACCEPT [10307:1367320]
:OUTPUT ACCEPT [66427:4357431]
-A PREROUTING -d 193.164.158.105/32 -j DROP
-A PREROUTING -i eth1 -p tcp -m tcp --dport 5111 -j DNAT --to-
destination
192.168.1.11:5900
-A PREROUTING -i eth1 -p tcp -m tcp --dport 5901 -j DNAT --to-
destination
192.168.1.2:5900
-A PREROUTING -i eth1 -p tcp -m tcp --dport 5969 -j DNAT --to-
destination
192.168.1.3:5900
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-
destination
192.168.1.204:3389
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.1.1:8080
-A PREROUTING -p gre -j ACCEPT
-A PREROUTING -p icmp -j ACCEPT
-A PREROUTING -p ah -j ACCEPT
-A PREROUTING -p udp -m udp --dport 53 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 500 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1723 -j ACCEPT
-A PREROUTING -p udp -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 20 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 21 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 23 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 43 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 79 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 123 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 143 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 444 -j
ACCEPT
-A PREROUTING -p tcp -m tcp --dport 1723 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 1863 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 3306 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 3389 -j ACCEPT
-A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 5000 -j
ACCEPT
-A PREROUTING -p tcp -m tcp --dport 5190 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 5900 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 5901 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 6667 -j ACCEPT
-A PREROUTING -s 192.168.1.0/24 -d 192.168.1.206/32 -p tcp -m tcp -
-
dport
-j ACCEPT
-A PREROUTING -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j
ACCEPT
-A PREROUTING -i eth1 -p tcp -m tcp --dport 30106 -j DNAT --to-
destination
192.168.1.224:30106
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 62500:63500
--tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A PREROUTING -j DROP
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Apr 2 17:12:26 2008
-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: quarta-feira, 2 de Abril de 2008 11:42
To: Jorge Bastos
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] client ip's
WHat do your iptables NAT rules look like?
iptables-save -t nat
ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos:
Transparent proxy
Squid running on: 8080
And I forward 80 = 8080 (squid) = web
My iptables rules are intact, I believe it was from 3.0 stable 1
or
2 that
this started to happen.
-Original Message-
From: Henrik Nordstrom
RE: [squid-users] client ip's
lör 2008-04-05 klockan 14:24 +0100 skrev Jorge Bastos: I updated to last STABLE-4 on debian, but this still happens this way. What can I do more? Good question. One thing you can try is to downgrade to Squid-2.6. If that shows the same symptoms the problem is not within Squid but most likely in your firewall ruleset or something else relevant to how the connections end up at your Squid. Regards Henrik
RE: [squid-users] client ip's
This already worked with some of the 3.0 versions. Gonna try to play with my iptables rules and let you guys know. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: sábado, 5 de Abril de 2008 19:38 To: Jorge Bastos Cc: 'Amos Jeffries'; squid-users@squid-cache.org Subject: RE: [squid-users] client ip's lr 2008-04-05 klockan 14:24 +0100 skrev Jorge Bastos: I updated to last STABLE-4 on debian, but this still happens this way. What can I do more? Good question. One thing you can try is to downgrade to Squid-2.6. If that shows the same symptoms the problem is not within Squid but most likely in your firewall ruleset or something else relevant to how the connections end up at your Squid. Regards Henrik
Re: [squid-users] client ip's
tor 2008-04-03 klockan 18:08 +1300 skrev Amos Jeffries: If squid is running on this same box I would recommend the REDIRECT target instead of DNAT. It's less work for the kernel. Actually REDIRECT is more work than DNAT as it has to look up the primary IP of the incoming interface and dynamically construct the DNAT rule.. Regards Henrik who have hacked a bit too much on Netfilter/Iptables in previous lives
RE: [squid-users] client ip's
Hum, the last one's on debian. They were 3.0 PRE-X, but don't remember the number. -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 3 de Abril de 2008 6:08 To: Jorge Bastos Cc: 'Henrik Nordstrom'; squid-users@squid-cache.org Subject: Re: [squid-users] client ip's Jorge Bastos wrote: The rule I use to redirect traffic from 80 to 8080 is: I must remember, this was working before 3.0 stable1 or stable2 (not using stable2), I just saw this was happening now. What version did you upgrade from? iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 If squid is running on this same box I would recommend the REDIRECT target instead of DNAT. It's less work for the kernel. The other possible issue is that you have your redirection rule at the start of the NAT tables. The matching rule to allow squid traffic out is near the end. Even if you keep DNAT, they should be in this order: # allow squid traffic out okay. iptables -t nat _A PREROUTING -s 192.168.1.1 -p tcp --dport 80 -j ACCEPT # redirect all other web traffic into squid. iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 cisne:~# iptables-save -t nat # Generated by iptables-save v1.4.0 on Wed Apr 2 17:12:25 2008 *nat :PREROUTING ACCEPT [35:1650] :POSTROUTING ACCEPT [10307:1367320] :OUTPUT ACCEPT [66427:4357431] -A PREROUTING -d 193.164.158.105/32 -j DROP -A PREROUTING -i eth1 -p tcp -m tcp --dport 5111 -j DNAT --to- destination 192.168.1.11:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5901 -j DNAT --to- destination 192.168.1.2:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5969 -j DNAT --to- destination 192.168.1.3:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to- destination 192.168.1.204:3389 -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 -A PREROUTING -p gre -j ACCEPT -A PREROUTING -p icmp -j ACCEPT -A PREROUTING -p ah -j ACCEPT -A PREROUTING -p udp -m udp --dport 53 -j ACCEPT -A PREROUTING -p udp -m udp --dport 500 -j ACCEPT -A PREROUTING -p udp -m udp --dport 1723 -j ACCEPT -A PREROUTING -p udp -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 20 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 21 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 23 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 43 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 79 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 123 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 143 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 444 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 1723 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 1863 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 3306 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 3389 -j ACCEPT -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 5000 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5190 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5900 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5901 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 6667 -j ACCEPT -A PREROUTING -s 192.168.1.0/24 -d 192.168.1.206/32 -p tcp -m tcp -- dport -j ACCEPT -A PREROUTING -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT -A PREROUTING -i eth1 -p tcp -m tcp --dport 30106 -j DNAT --to- destination 192.168.1.224:30106 -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 62500:63500 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A PREROUTING -j DROP -A POSTROUTING -o eth1 -j MASQUERADE COMMIT # Completed on Wed Apr 2 17:12:26 2008 -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 11:42 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's WHat do your iptables NAT rules look like? iptables-save -t nat ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos: Transparent proxy Squid running on: 8080 And I forward 80 = 8080 (squid) = web My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that this started to happen. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 0:12 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos: No, just squid himself. As a plain proxy, or playing with NAT? Regards Henrik -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
RE: [squid-users] client ip's
Transparent proxy Squid running on: 8080 And I forward 80 = 8080 (squid) = web My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that this started to happen. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 0:12 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos: No, just squid himself. As a plain proxy, or playing with NAT? Regards Henrik
RE: [squid-users] client ip's
WHat do your iptables NAT rules look like? iptables-save -t nat ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos: Transparent proxy Squid running on: 8080 And I forward 80 = 8080 (squid) = web My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that this started to happen. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 0:12 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos: No, just squid himself. As a plain proxy, or playing with NAT? Regards Henrik
RE: [squid-users] client ip's
The rule I use to redirect traffic from 80 to 8080 is: I must remember, this was working before 3.0 stable1 or stable2 (not using stable2), I just saw this was happening now. iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 cisne:~# iptables-save -t nat # Generated by iptables-save v1.4.0 on Wed Apr 2 17:12:25 2008 *nat :PREROUTING ACCEPT [35:1650] :POSTROUTING ACCEPT [10307:1367320] :OUTPUT ACCEPT [66427:4357431] -A PREROUTING -d 193.164.158.105/32 -j DROP -A PREROUTING -i eth1 -p tcp -m tcp --dport 5111 -j DNAT --to-destination 192.168.1.11:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.1.2:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5969 -j DNAT --to-destination 192.168.1.3:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.204:3389 -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 -A PREROUTING -p gre -j ACCEPT -A PREROUTING -p icmp -j ACCEPT -A PREROUTING -p ah -j ACCEPT -A PREROUTING -p udp -m udp --dport 53 -j ACCEPT -A PREROUTING -p udp -m udp --dport 500 -j ACCEPT -A PREROUTING -p udp -m udp --dport 1723 -j ACCEPT -A PREROUTING -p udp -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 20 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 21 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 23 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 43 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 79 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 123 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 143 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 444 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 1723 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 1863 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 3306 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 3389 -j ACCEPT -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 5000 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5190 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5900 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5901 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 6667 -j ACCEPT -A PREROUTING -s 192.168.1.0/24 -d 192.168.1.206/32 -p tcp -m tcp --dport -j ACCEPT -A PREROUTING -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT -A PREROUTING -i eth1 -p tcp -m tcp --dport 30106 -j DNAT --to-destination 192.168.1.224:30106 -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 62500:63500 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A PREROUTING -j DROP -A POSTROUTING -o eth1 -j MASQUERADE COMMIT # Completed on Wed Apr 2 17:12:26 2008 -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 11:42 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's WHat do your iptables NAT rules look like? iptables-save -t nat ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos: Transparent proxy Squid running on: 8080 And I forward 80 = 8080 (squid) = web My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that this started to happen. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 0:12 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos: No, just squid himself. As a plain proxy, or playing with NAT? Regards Henrik
Re: [squid-users] client ip's
Jorge Bastos wrote: The rule I use to redirect traffic from 80 to 8080 is: I must remember, this was working before 3.0 stable1 or stable2 (not using stable2), I just saw this was happening now. What version did you upgrade from? iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 If squid is running on this same box I would recommend the REDIRECT target instead of DNAT. It's less work for the kernel. The other possible issue is that you have your redirection rule at the start of the NAT tables. The matching rule to allow squid traffic out is near the end. Even if you keep DNAT, they should be in this order: # allow squid traffic out okay. iptables -t nat _A PREROUTING -s 192.168.1.1 -p tcp --dport 80 -j ACCEPT # redirect all other web traffic into squid. iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 cisne:~# iptables-save -t nat # Generated by iptables-save v1.4.0 on Wed Apr 2 17:12:25 2008 *nat :PREROUTING ACCEPT [35:1650] :POSTROUTING ACCEPT [10307:1367320] :OUTPUT ACCEPT [66427:4357431] -A PREROUTING -d 193.164.158.105/32 -j DROP -A PREROUTING -i eth1 -p tcp -m tcp --dport 5111 -j DNAT --to-destination 192.168.1.11:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.1.2:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5969 -j DNAT --to-destination 192.168.1.3:5900 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.204:3389 -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 -A PREROUTING -p gre -j ACCEPT -A PREROUTING -p icmp -j ACCEPT -A PREROUTING -p ah -j ACCEPT -A PREROUTING -p udp -m udp --dport 53 -j ACCEPT -A PREROUTING -p udp -m udp --dport 500 -j ACCEPT -A PREROUTING -p udp -m udp --dport 1723 -j ACCEPT -A PREROUTING -p udp -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 20 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 21 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 23 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 43 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 79 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 123 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 143 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 444 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 1723 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 1863 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 3306 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 3389 -j ACCEPT -A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 5000 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5190 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5900 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 5901 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 6667 -j ACCEPT -A PREROUTING -s 192.168.1.0/24 -d 192.168.1.206/32 -p tcp -m tcp --dport -j ACCEPT -A PREROUTING -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT -A PREROUTING -i eth1 -p tcp -m tcp --dport 30106 -j DNAT --to-destination 192.168.1.224:30106 -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 62500:63500 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A PREROUTING -j DROP -A POSTROUTING -o eth1 -j MASQUERADE COMMIT # Completed on Wed Apr 2 17:12:26 2008 -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 11:42 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's WHat do your iptables NAT rules look like? iptables-save -t nat ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos: Transparent proxy Squid running on: 8080 And I forward 80 = 8080 (squid) = web My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that this started to happen. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 2 de Abril de 2008 0:12 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: RE: [squid-users] client ip's tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos: No, just squid himself. As a plain proxy, or playing with NAT? Regards Henrik -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
RE: [squid-users] client ip's
No, just squid himself. -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: terça-feira, 1 de Abril de 2008 10:22 To: Jorge Bastos Cc: squid-users@squid-cache.org Subject: Re: [squid-users] client ip's tis 2008-04-01 klockan 10:07 +0100 skrev Jorge Bastos: Hi, My squid always report localhost on the client's IP. What can I do to correct this? Only started to happen with the last 3.0 stable2. are you using dansguardian or another filtering proxy infront of your Squid? Regards Henrik
Re: [squid-users] client ip's
tis 2008-04-01 klockan 10:07 +0100 skrev Jorge Bastos: Hi, My squid always report localhost on the client's IP. What can I do to correct this? Only started to happen with the last 3.0 stable2. are you using dansguardian or another filtering proxy infront of your Squid? Regards Henrik
[squid-users] client ip's
Hi, My squid always report localhost on the client's IP. What can I do to correct this? Only started to happen with the last 3.0 stable2. --- 1207040749.939436 localhost TCP_MISS/200 1528 GET http://library.gnome.org/skin/tab_right.png - DIRECT/209.132.176.176 image/png
RE: [squid-users] client ip's
tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos: No, just squid himself. As a plain proxy, or playing with NAT? Regards Henrik
