[squid-users] External nat'ed transparent proxy
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 26 05:26:44 UTC 2016
On 26/10/2016 5:26 a.m., Eliezer Croitoru wrote:
> Hey Henry,
>
> It's not about RFC at all from my point of view.
> It's very simple to setup the system in a way that will work as you want but with Let say Ubuntu 16.04 or Debian 8(latest).
> These are very stable in my environment and if you need some help with the design I would be able to assist you with it.
> I cannot find right now the whole setup specs but it's very simple to mark connections by the VLAN or the source network:
> You will just need to change the next rules to be static and to not rely on NFQUEUE:
> http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#iptables_rules_example
>
> Then write a special routing table per vlan.
> The reason to do so is since this is how it is suppose to be and not because of the RFC.
Well, the RFC describe what "how it is suppose to be" is exactly. But
that is as relevant as they get.
It's a simple situation of; if you replace part of any protocol on-wire
binary bytes with random or wrong data, dont expect it to continue working.
> Your setup breaks good connections but maybe you are just not aware of it.
No 'maybe' about it. It *is* breaking connections, guaranteed.
Otherwise you (Henry) would not have noticed any issue when Squid
stopped the breakage from happening. The TCP/IP level breakage is/was
just happening in a way that hides itself from the admin sight and logs
until Squid-3 started pointing it out.
Amos
More information about the squid-users
mailing list