Re: [squid-users] By passing squid for a subnet

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Fri, 28 Apr 2006 01:12:42 +0200

tor 2006-04-27 klockan 20:20 +0100 skrev Tony:
> We have Cisco that is terminiating an L2TP tunnel which our users connect
> on.
> Each user that we went to send to our squid box has a per virtual interface
> policy map assigned via radius to forward port 80 traffic to our squid
> server.
> On the squid server we have the following rules to do this.
>
> ###############
> /sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j
> MASQUERADE
> /sbin/iptables -A PREROUTING -t nat -p tcp -s 10.0.0.0/20 --dport 80 -j DNAT
> --to 192.168.0.4:3128
> ###############
>
> This all works fine for all web browsing expect for a second subnet that is
> also connected to the same Cisco router.

Is this also within the 10.0.0.0/20? If not you'll need one more
iptables rule to intercept that network as well..

> Without the policy map assign they can, and they also can if the set their
> web browser to proxy via the squid server on 192.168.0.4 on port 80 as the
> policy map would do.

explicit proxy settings and policy routing with interception is very
different beasts.

the first is plain IP networking following all standards.

the second is a hack, violating the fundamental end-to-end property of
TCP/IP networking only to work around application shortcomings. (the
inability to tell the browser to use the proxy proper)

> So this tells me it's not the squid server in anyway.

Well, it for sure isn't Squid being the problem, but it may still be the
server Squid runs on. See above.

Regards
Henrik

Received on Thu Apr 27 2006 - 17:12:59 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT