Erik,
Checking my iptables rules I find that I have postrouting set as well.
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:10.0.0.2
to: is set to the outside nic of the Squid/firewall machine.
Also are you redirecting "outside" port 80 to 3128 on the squid machine
and if so is squid accepting connections on 3128? I'm not entirely
certain that 80 needs to be redirected on the squid machine if you
already have a router doing that for you.
Erik Bixby wrote:
> As I said in my initial post, I have read every word of Squid's FAQ on
> the matter, and I have my iptables set up properly:
> root@filter:~# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- anywhere anywhere tcp
> dpt:www redir ports 3128
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> root@filter:~#
>
> I have no expectation that we will be filtering SSL. There was a post
> on the matter earlier, from someone else. Perhaps, you are confusing
> the two. Although, I do appreciate your attention and willingness to
> try and help.
>
> Where I've run into trouble is it seems as though I have everything
> setup properly. Squid works if you connect directly to it. The GRE
> tunnel establishes a connection to the router. Squid registers itself
> with the router and is recognized. Traffic is forwarded to the Squid
> box. I've verified this with Ethereal; with Squid not registered with
> the router, eth0 doesn't see traffic from my browser. With Squid
> registered with the router, I see the traffic on eth0, but nothing
> more ever happens...
> -Erik
>
> On 11/1/06, JT Moree <moreejt@pcxperience.com> wrote:
> Erik Bixby wrote:
>>>> SquidGuard runs fine. With a browser configured to use the proxy
>>>> directly, everything works. It's only when trying to intercept
>>>> traffic that things fall down. I can get the packets from the client
>>>> to the web server to either the Ethernet or GRE virtual interface on
>>>> the Squid box, but Squid does nothing with them. That is my problem;
>>>> how to get Squid to act on HTTP requests that are neither originated
>>>> from nor destined for it.
> huh? Try using the firewall on the squid box to forward incoming
> traffic for port 80 to the squid port. Unless you are running squid at
> port 80--which is possible I suppose.
>
> If you are trying to automatically forward port 443 (ssl) i don't think
> that will work. ssl traffic will need to use the proxy setup in the
> browser.
>
> If I understand what you are trying to do it involves more than just
> squid to do it. Probably need to re-direct all port 80 traffic that is
> not from the squid box to the squid box on the real firewall. Then
> allow squid box to access port 80 through the firewall.
>
> Is the proxy server (squid) the same as the firewall? same principles
> apply just on one machine rather than over the network.
>
> --
> JT Morée
> PC Xperience, Inc.
>>
- --
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
>>
- ---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss