[squid-users] Intercept mode failing

Eliezer Croitoru eliezer at ngtech.co.il
Tue Jan 3 12:53:35 UTC 2017


Hey,

There is also another option.
You can open a tunnel (IPIP, GRE, OTHER) between the proxy and the router to make it possible to directly route traffic to the proxy.

If you need some help with it let me know.

Eliezer 

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Hoggins!
Sent: Tuesday, January 3, 2017 12:54 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Intercept mode failing

Hello,

(answering to both Amos and Antony here, you got the same questioning ;) )

Le 03/01/2017 à 11:45, Amos Jeffries a écrit :
> On 2017-01-03 23:13, Hoggins! wrote:
>> Okay, I get that.
>>
>> Le 03/01/2017 à 10:33, Antony Stone a écrit :
>>> No - you must do the NAT (or REDIRECT) rule *on the Squid server*.
>>
>> Well, my Squid server is not on the same network as my clients, so I 
>> need something else than just a REDIRECT on the Squid itself.
>
> That does not matter when the DNAT or REDIRECT is done on the Squid 
> machine.

OK, I'll have a deeper look into that, indeed I'm not familiar with what REDIRECT *exactly* does.

>
>>
>>>
>>> If you need to use policy routing to get the packets to the Squid 
>>> machine in the first place, that's okay, but this *must* be packet 
>>> routing, not address translation
>>
>> Policy routing was my first choice, but there is one important detail 
>> in my setup : between my gateway (192.168.22.10) and my Squid 
>> (192.168.55.3), there's an IPSec tunnel. My gateway does not have a 
>> link-local route to 192.168.55.3 so I can't add the default route to 
>> it inside a routing table (I get "Network is unreachable", which is 
>> expected).
>>
>> So I guess I'm stuck.
>
>
> So how did the packets get to the Squid machine after your DNAT ?
>
> The route does not have to be link-local. Any type of route will do so 
> long as all the routers handling the packets know which way to pass 
> them, and the dst-IP address is not changed.

Well, xfrm routing is a lot different than "classic" routing, I learnt it the hard way. DNAT *will* work whereas policy routing won't if I don't explicitly declare all my subnets in my IPSec tunnel configuration. Got a big discussion about that on StrongSwan's mailing-list, and I believe this sums it up pretty nicely :
http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png

Anyway, yes, if I try to add a route by :
    ip route add default via <IP ADDRESS> table 123

<IP ADDRESS> *has* to be directly reachable. Or it has to be in the routing table somehow. But the routing table handling the tunnelled packets is not managed by iproute2.

So as I can't do otherwise, I'm going to experiment a bit more with the REDIRECT + DNAT between the gateway and the Squid server.

Thanks for your help !

>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>





More information about the squid-users mailing list