----- "Tom Eastep" <[email protected]> wrote:
On 8/25/10 11:14 AM, Tom Eastep wrote:
> On 8/25/10 10:54 AM, Shawn Wright wrote:
>
>>
>> The dump is from the squid/shorewall box. If I'm reading this
>> correctly, the rejection is from the remote host back to the client,
>> which indicates the proxy redirect is not taking place. The remote
>> host should have no knowledge of the client IP; it should see only
>> the proxy IP (72.2.0.4)
>
> The Shorewall/squid box is returning the RST. It simply reverses the SRC
> and DST. If it used it's own IP address, the client wouldn't have a clue
> what it meant since it sent no SYN packet to 72.2.0.4.
>
>>
>> So what shorewall config do I need to redirect ALL packets with a
>> DST port=80 and a SRC=10.0.0.0/8 received on an interface?
>>
>
> You already have that and more with your REDIRECT rule but that exact
> entry would be:
>
> REDIRECT net:10.0.0.0/8 3128 tcp 80
>
And by the way, the fact that it works when you configure it as a manual
proxy does not mean that Squid is correctly configured for Transparent
proxy.
Yes, but it confirms the proxy can access external sites. I think the only way
I can confirm transparent proxy without iptables is to place the squid box into
a router role for the client. I could do this, but the ultimate goal is to use
WCCP2, so I do need to get iptables/shorewall working. I don't wish to place
the proxy load on our firewall, as there are 600 users on a 1Gb pipe, so the
traffic is significant.
Squid is returning this: "Accepting transparently proxied HTTP connections at
0.0.0.0, port 3128, FD 16." , so it appears to be set correctly. There are no
hits in the squid access log for the transparent client.
tcpdump on the shorewall/squid box now shows this, and I am not quite sure why
I don't see the rejections, but the packets still don't reach squid on port
3128. I am clearly missing some critical piece, but I don't know where to look.
11:57:46.823061 IP 10.3.5.23.2374 > 136.1.241.33.80: S 1396530295:1396530295(0)
win 65535 <mss 1460,nop,nop,sackOK>
11:57:46.823117 IP 136.1.241.33.80 > 10.3.5.23.2374: S 146074113:146074113(0)
ack 1396530296 win 5840 <mss 1460,nop,nop,sackOK>
Thanks for any guidance you can offer.
------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users
worldwide. Take advantage of special opportunities to increase revenue and
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
