Re: [squid-users] DNAT?? from Henrik Nordstrom on 2003-07-13 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 13 Jul 2003 20:31:33 +0200

On Sunday 13 July 2003 19.31, Antony Stone wrote:

> 1. Do you have an appropriate FORWARD rule to allow the packets
> through the machine as well?
>
> 2. Do you have /proc/sys/net/ipv4/ip_forward = 1 so the box will
> forward packets at all?
>
> 3. Does Squid listen on port 80 (transparent mode) or 3128
> (standard proxyign mode). If transparent, it may be interfering
> with the packets through the Linux machine.
>
> 4. If you use the command "iptables -L -t nat -n -v -x" do you see
> non-zero values for the packet and byte counters on the above rule?
> (ie are any packets matching the rule and being NATted, but then
> blocked somewhere else)
>
> 5. Does your ISP block incoming TCP Port 80 traffic,to stop people
> running web servers on home connections ?

6. Does the web server route packets back to the Internet via your
Squid server?

If not all these are fulfilled NAT won't work..

The last can be solved by dual NAT (both DNAT and SNAT), but in such
case there is no reason not to run a proxy instead.

As Antony, I would recommend running a reverse proxy on your Squid
server machine, listening to port 80 and forwarding requests to your
web server. This only has the benefit that it is considerably easier
to set up, you also get a kind of gatekeeper function in the Squid
proxy blocking many invalid HTTP requests trying to exploit various
web servers..

This Squid should preferably not be the same Squid instance you use
for proxying. Install the aceclerator mode Squid with another prefix,
and configure it like

  httpd_accel_host your.external.domain
  httpd_accel_port 80
  icp_port 0
  snmp_port 0 (if enabled)
  htcp_port 0 (if enabled)

and add your.external.domain to /etc/hosts with the IP address of your
web server.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com

Received on Sun Jul 13 2003 - 12:32:02 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:57 MST