On 20/01/2012 1:11 p.m., Tim Fletcher wrote:
> On Thu, 2012-01-19 at 14:37 -0300, Sebastian muniz wrote:
>
>> Reading at squid site, looks like NATting outgoing connections to a
>> squid running on an other box is not a good idea.
>> Questions:
>> What is the suggested way to implement this scenario?
>> How can I get rid of the loop?
> I use this script to transparently proxy on a box that isn't the
> firewall using a combination of iptables to set a mark and then iproute
> to change the default GW for packets with that mark set.
>
> The idea is that we first of all accept packets from the proxy so they
> don't get marked, and then we mark all packets going to port 80 and then
> redirect them to the proxy.
Called "policy routing" and documented in the Squid wiki interception
configs under that name.
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>
> On the proxy host you will need to accept and redirect the packets to
> the squid port.
>
> iptables -A PREROUTING -d 192.168.1.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
> iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
You are missing "-t nat" on those rules.
Amos
Received on Fri Jan 20 2012 - 00:45:59 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 20 2012 - 12:00:03 MST