Re: [squid-users] Squid, tproxy, nat and multi-homed

From: Ming-Ching Tiew <mingching.tiew@dont-contact.us>
Date: Tue, 23 Oct 2007 10:03:16 +0800

From: "Amos Jeffries" <squid3@treenet.co.nz>

Thanks for the quick response :-

>
> Most common failure like this requires 'you need to patch the kernel', but
> it sounds like that's been done.
>

Yupe this has been done.

> Next step is seeing what tcpdump shows about the two types of traffic.
> And possibly what type of router/balancer is doing the splitting?
>

This has been done too. Very clearly, tcpdump shows that for the
none NAT-ed leg, the identity of the original requests have been
spoofed, but the bad thing is that, it also spoofed the NAT-ed leg
as well despite there is a POSTROUTING rule to do SNAT in
the nat table. Seems to me the 'tproxy' directive in squid makes
iptables nat POSTROUTING SNAT useless !

>
> PS. Do you HAVE to use tproxy?

YES. It works if I don't use it together with nat.

> If the NATing isn't a problem you could use
> a plain intercepting/transparent proxy and have remote sources down both
> streams see the squid IP as the source of requests.
>

That will be undesirable for the none-NAT-ed leg because the traffic
will head towards an firewall will screen/filter the outgoing traffic based
on the source IPs.
Received on Mon Oct 22 2007 - 20:03:21 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT