[squid-users] Transparent Squid with Check Point FW-1

From: Simon White <simon@dont-contact.us>
Date: Fri, 29 Mar 2002 18:32:56 +0000

Hello

Well I am good on Squid, don't usually have any problems. Have
Squid2.4STABLE6 running on a RH7.2 box here for testing (finally get to
play with Squid after a long absence).

Now, I have it configured transparent, with iptables on that box getting
packets to Squid nicely with no problems, I set the box as my default
gateway and all works wonderfully.

However, my only option on this particular network is to have the firewall
(Check Point 4.1sp3) route packets to the Squid box.

I am using SRV_REDIRECT, and the firewall logs tell me that packets are
redirecting to the Squid machine OK... but I can't surf, and I see nothing
in access.log.

In the Howto by Daniel Kiracofe
http://www.linuxdoc.org/HOWTO/mini/TransparentProxy-6.html

he suggests if an intermediary box is doing the forwarding, there should
be a rule like this:

iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box \
        -j SNAT --to iptables-box

so that, quoting Daniel "the reply comes back through the firewall,
instead of direct to the client."

I don't know why this is important, I can't get my head around it. If the
local network (source) wants to get to the squid box (dest), then nat the
source as if it were from the iptables box (or firewall)?

Or, if any of you have experience doing this with Check Point, please let
me know.

-- 
[Simon White. vim/mutt. simon@mtds.com. GIMPS:60.28% see www.mersenne.org]
It is impossible to sharpen a pencil with a blunt axe. It is equally vain
to try to do it with ten blunt axes instead.  -- E. W. Dijkstra
[Linux user #170823 http://counter.li.org. Home cooked signature rotator.]
Received on Fri Mar 29 2002 - 11:33:01 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:12 MST