Dnia 15-03-2010 o godz. 18:00 Hubert Choma napisa³(a):
> Dnia 15-03-2010 o godz. 14:42 Henrik Nordström napisa³(a):
> > mán 2010-03-15 klockan 14:00 +0100 skrev Hubert Choma:
> >
> > > iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT
> > > --to-port 8080
> > > It's correct iptables rule ?
> >
> > Is eth0 the interface where clients traffic is arriving?
> >
> > If you are using wccp then the interface is usually a gre interface, not
> > ethx..
> >
> > Regards
> > Henrik
>
> Hello Henrik Thanks for help !
>
> I don't use WCCP eth0 its interface for WAN. Yes You have got right when
> eth0 is set then my site doesn't work from WAN side and LAN side. I
> changed it from eth0 to eth1
>
> iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> but sites are loading very long !!
>
> My topology
> UTM Router 192.168.1.1----->eth0 192.168.1.2 (services for WAN
> apache,FTP)---->eth1 192.168.0.1(on eth1 works squid 192.168.0.1:8080 as
> transparent proxy)---LAN XP clients 192.168.0.0/24
> So I have 2 NAT :
> First UTM router
> SECOND Linux (Centos Router with - apache ftp and squid services)
> I would like to setup squid as transparent proxy for lan clients.
>
> I have a few doubts :
> 1) squid uses dns from resolv.conf so I have 3 nameservers
> nameserver 194.204.152.34 first dns from internet provider (DSL)
> nameserver 194.204.159.1 second dns
> nameserver 192.168.1.1 (UTM router)
>
> My public IP 83.18.17.30 is assigned to domain geodezja.wolomin.pl
> so what entries should i use to /etc/hosts ? Centos machine hostname is
> proliant.
> I have 2 Nics and 1 hostname=proliant so i think maybe it is a problem
> with correct resolve of internal LAN names. Look at my /etc/hosts
>
> How they should look like valid entries for the ProLiant machine with 2
> NICS ??
>
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1 localhost.localdomain localhost proliant
> 192.168.1.2 proliant
> 192.168.0.1 proliant.geodezja.wolomin.pl proliant
> #83.18.17.30 geodezja.wolomin.pl proliant
> 192.168.0.2 sm2
> 192.168.0.3 sm3
> 192.168.0.4 sm4
> 192.168.0.6 sm19
> 192.168.0.8 sm9
> ::1 localhost6.localdomain6 localhost6
>
> 2) Maybe its iptables problem ???????
> I still have error with /etc/init.d/squid start [failed] and in logs
> there are no warnings or errors !?
>
> Sorry for my english
> PLEASE HELP!
I noticed a worrying thing! Yesterday I installed squid on my machine
at home Centos 5.4.
By default, I was installed squid 2.6 from the Centos repository squid
2.6.
1) I did uninstall "yum remove squid" .
2) I have downloaded from http://people.redhat.com/~jskala/squid/ squid
2.7 Stable-1.el5
3) remove /etc/squid/ , /var/log/squid , /var/spool/squid
4) yum localinstall --nogpgcheck squid-2.7.STABLE7-1.el5
5) I had to create /var/log/squid/run directory manually for squid .pid
file
permissions 776 owner and group squid
[root_at_proliant squid]# ls -al
drwxr-x--- 3 squid squid 4096 mar 15 12:55 .
drwxr-xr-x 19 root root 4096 mar 16 04:05 ..
-rw-r----- 1 squid squid 340215 mar 15 20:20 access.log
-rw-r----- 1 squid squid 153839 mar 14 04:02 access.log.1.gz
-rw-r----- 1 squid squid 761563 mar 15 23:07 cache.log
drwxrwxrw- 2 squid squid 4096 mar 15 23:07 run
6) squid -z
7) iptabpes -A INPUT -p tcp --dport 8080 -j ACCEPT (and another rule for
port 80)
8) service squid start show [FAILED]
AND I RECEIVE ERROR !! THE SAME LIKE IN MY PRODUCTION SERVER !!!!
service squid status show running !! But
service squid restart:
Zatrzymywanie squid: [ OK ]
Uruchamianie squid: [NIEUDANE]
[root_at_proliant /]#
NIEUDANE = FAILED
All of above things are made from root account.
In cache.log there is no warnings or errors ! What's going on ? How can
I track error ?
How can I find an error or the cause of the error?? squid -X show
nothing wrong.
What am I doing wrong?
My iptables
#!/bin/sh
modprobe ip_nat
modprobe ip_conntrack_ftp
modprobe ip_conntrack
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
#Udostêpnienia RDP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.6:3389
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT
#Udostepnienie DraytekSyslog
iptables -t nat -I PREROUTING -p udp -i eth0 -d 0/0 --dport 514 -j DNAT
--to 192.168.0.6
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 514 -j ACCEPT
iptables -t nat -I PREROUTING -p udp -i eth0 -d 0/0 --dport 513 -j DNAT
--to 192.168.0.6
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 513 -j ACCEPT
# SERVICES FOR WAN (eth0 =httpd,ftp,ssh,postgres)
iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 5432 -j ACCEPT
iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 9999 -j ACCEPT
iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
#DNS INPUT
iptables -A INPUT -p udp -s 194.204.152.34/32 --source-port 53 -d 0/0 -j
ACCEPT
iptables -A PREROUTING -t nat -i eth0 -s 192.168.0.0/24 -p tcp --dport
80 -j REDIRECT --to-port 8080
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT
--to-source 192.168.1.2
I noticed that when I type :
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
clients from WAN (internet side) can't connect to my site on apache (all
traffic 80 is redirected to squid but I need httpd to work on 80 on
eth0, squid works on eth1)
I add -s 192.168.0.0./24
iptables -A PREROUTING -t nat -i eth0 -s 192.168.0.0/24 -p tcp --dport
80 -j REDIRECT --to-port 8080
now clients connect to my site but connection to internet from LAN to
WAN is very slow. I think it was creating a strange loop ??
PLEASE HELP!!
Received on Tue Mar 16 2010 - 08:37:50 MDT
This archive was generated by hypermail 2.2.0 : Tue Mar 16 2010 - 12:00:03 MDT