Re: [squid-users] Redirect Web traffic From Linux GW to win32 squid.

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Thu, 30 Aug 2007 12:10:05 +0200

On ons, 2007-08-29 at 23:18 -0500, Rogelio Sevilla Fernandez wrote:
> Im working with WRT54GL and i want make somes whitelist for websites.
> I tried to do that with iptables +webstr but i had a lot of problems
> with hotmail. So i decided to install squid on a Win2k server and
> redirect all the web traffic from the WRT54GL to my Win2kServer.
>
> This is the scenario.
>
>
> INTERNET --- WRT54GL ----- --- Clients
> --- Win2KServer

This requires some heavy NAT:ing of the traffic due to the clients and
server being on the same side of the router.

> On Wrt54Gl i have a rule to make a DNAT all the webtraffic to
> Win2KServer to port
> 3128 except for the Win2kServer.
>
> The squid on Win2kServer appear to be working ok. But when the clients
> open their browser, i get an error from squid. The squid access.log
> show:
> error:invalid-request

Have you configured squid.conf properly for transparent interception?

> And only show the IP of the WRT54GL and not the real IP of the Clients.

Yes, that's because you NAT the traffic in the WRT54GL. The routing
would not work at all if the router did not masquerade the source IP in
the above setup as the return traffic from the server neet to be routed
via the router when using NAT. (the above is a so called loopback NAT
setup)

What you can do is to move the server to a DMZ zone.

INTERNET --- NATROUTER ---- CLIENTS
                 |
                 |
               Server

this avoids the loopback, and allows traffic to be NAT:ed on one side
only, making the client IP available to the server.

Regards
Henrik

Received on Thu Aug 30 2007 - 04:10:16 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT