On 8/25/10 11:14 AM, Tom Eastep wrote: > On 8/25/10 10:54 AM, Shawn Wright wrote: > >> >> The dump is from the squid/shorewall box. If I'm reading this >> correctly, the rejection is from the remote host back to the client, >> which indicates the proxy redirect is not taking place. The remote >> host should have no knowledge of the client IP; it should see only >> the proxy IP (72.2.0.4) > > The Shorewall/squid box is returning the RST. It simply reverses the SRC > and DST. If it used it's own IP address, the client wouldn't have a clue > what it meant since it sent no SYN packet to 72.2.0.4. > >> >> So what shorewall config do I need to redirect ALL packets with a >> DST port=80 and a SRC=10.0.0.0/8 received on an interface? >> > > You already have that and more with your REDIRECT rule but that exact > entry would be: > > REDIRECT net:10.0.0.0/8 3128 tcp 80 >
And by the way, the fact that it works when you configure it as a manual proxy does not mean that Squid is correctly configured for Transparent proxy. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
