[squid-users] transparent proxy original_dst err

Yuri Voinov yvoinov at gmail.com
Tue Apr 21 11:37:13 UTC 2015 

21.04.15 17:20, Amos Jeffries пишет:
> On 21/04/2015 10:44 p.m., jaykbvt wrote:
>> Hi,
>> My squid is configured in interception mode with
>>
>> http_port 3130
>> http_port 3129 intercept
>>
>> squid is running with single network card. request comes from the Cisco ISG
>> and internet is also allowed from the same Cisco ISG only.
> I think the Cisco is doing NAT and erasing the original dst-IP value
> from the client TCP packets. The problem needs to be fixed there (by not
> NAT'ing on the Cisco).

Using NAT onto backoffice Cisco is not good idea. Usually, NAT only 
using on front router.

>
>> IPtables has been configured with following
>> squidip = 10.58.200.33
>> squid port = 3129
>> ====================
>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
>> 10.58.200.33:3129
>> ====================
>>
> This above iptables NAT is changing something:80 to 10.58.200.33:3129.
>
> When things are configured right the something is the origin web servers
> IP the client was contacting. And the NAT un-mangling operation in Squid
> converts the 10.58.200.33:3129 back to something:80.
>
> NOTE: there are other iptables rules needed to prevent the from-Squid
> traffic being looped back, and attackers contacting the Squid listening
> port. But your proxy is not getting that far yet. So this is just a
> heads-up for now.
>
>
>> Given bellow are entries in cache.log
>>
>> +++++++++++++++++++++++++++++++++++
>> 2015/04/21 15:50:20.576 kid1| client_side.cc(3412) httpAccept:
>> local=10.58.200.33:80 remote=10.210.83.249:3375 FD 10 flags=33: accepted
> This is the connection info *after* the iptables NAT mangling is
> un-done. The 10.58.200.33:3129 has succesfully been converted back into
> something:80.
>
> Unfortunately that something:80 dst-IP addresc received from the Cisco
> was "10.58.200.33:80" as you can see in the local= parameter above.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list