[squid-users] Squid on separate box and it can't see packets

Amos Jeffries squid3 at treenet.co.nz
Tue Feb 21 04:06:54 UTC 2017 

On 21/02/2017 10:25 a.m., Eliezer  Croitoru wrote:
> And just wanted to add a note that some Linux machines will act as an
> HUB\BRIDGE by default in a similar scenario(will not drop
> packets..). I noticed it while working on some tiny lab and it's
> better to have the linux machine with ipv4_forward turned on with an
> iptables DROP rule rather then without(with some distros and some
> specific kernels).

Nod.

If the machine is working as a true bridge then the packets will not be
going to Squid. It still needs the routing rules to route the packets
from its bridge interface to Squid, and from Squid to its bridge
outerface. Or for that matter to pass them from the bridge
inter/outerfaces and the NAT system.

Amos



> 
> Eliezer
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
> 
> 
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
> Sent: Friday, February 17, 2017 3:59 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid on separate box and it can't see packets
> 
> On 15/02/2017 9:18 a.m., John Pearson wrote:
>> Hi,
>>
>> Is this squid box a router or just a proxy?
>> - just a proxy
> 
> There is the first problem.
> 
> NAT interception needs the machine Squid is running on to be configured
> to operate as a router. It will be receiving packets destined to a
> machine other than itself.
> 
>>
>> What tcpdump command did you ran?
>> - sudo tcpdump -i eth0
>>
>> What is the networks that are involved?
>> Setup:
>>
>>> Client        (192.168.1.8) --->  |     Rotuer        |
>>>                                                | gateway/dhcp | --->
>>> Internet
>>> Squid box (192.168.1.2) --->  |  192.168.1.1   |
>>
>>
>> Here Client (debian), squid (debian) and router are three separate devices.
>>
> 
> So the Squid machine;
> 
> requires this bit you did:
>  <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
> 
> PLUS the system TCP stack controls to turn it from a origin-server host
> to a routing host. Otherwise the machine will silently drop packets not
> destined to itself.
> 
> 
> The router machine requires this:
>  <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#When_Squid_is_Internal_amongst_clients>
> 
> The router machine probably also needs the "Routing Setup":
>  <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#Routing_Setup>
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list