[squid-users] transparent proxy original_dst err
Amos Jeffries
squid3 at treenet.co.nz
Tue Apr 21 11:20:48 UTC 2015
On 21/04/2015 10:44 p.m., jaykbvt wrote:
> Hi,
> My squid is configured in interception mode with
>
> http_port 3130
> http_port 3129 intercept
>
> squid is running with single network card. request comes from the Cisco ISG
> and internet is also allowed from the same Cisco ISG only.
I think the Cisco is doing NAT and erasing the original dst-IP value
from the client TCP packets. The problem needs to be fixed there (by not
NAT'ing on the Cisco).
>
> IPtables has been configured with following
> squidip = 10.58.200.33
> squid port = 3129
> ====================
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> 10.58.200.33:3129
> ====================
>
This above iptables NAT is changing something:80 to 10.58.200.33:3129.
When things are configured right the something is the origin web servers
IP the client was contacting. And the NAT un-mangling operation in Squid
converts the 10.58.200.33:3129 back to something:80.
NOTE: there are other iptables rules needed to prevent the from-Squid
traffic being looped back, and attackers contacting the Squid listening
port. But your proxy is not getting that far yet. So this is just a
heads-up for now.
> Given bellow are entries in cache.log
>
> +++++++++++++++++++++++++++++++++++
> 2015/04/21 15:50:20.576 kid1| client_side.cc(3412) httpAccept:
> local=10.58.200.33:80 remote=10.210.83.249:3375 FD 10 flags=33: accepted
This is the connection info *after* the iptables NAT mangling is
un-done. The 10.58.200.33:3129 has succesfully been converted back into
something:80.
Unfortunately that something:80 dst-IP addresc received from the Cisco
was "10.58.200.33:80" as you can see in the local= parameter above.
Amos
More information about the squid-users
mailing list