[squid-users] Transparent Proxy

John Sayce jsayce at asdlighting.com
Thu Sep 8 11:54:14 UTC 2016 

Yeah, that was the key.  I was expecting my firewall to be doing NAT but destination NAT rather than source NAT.  I hadn't realised this was completely wrong.  

Got it working now.

Thanks


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Antony Stone
Sent: 08 September 2016 10:00
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Transparent Proxy

On Thursday 08 September 2016 at 10:44:12, John Sayce wrote:

> After I wrote this I realised it should be changing the mac not the 
> ip, which is not what’s happeneing.  I think it's my firewall 
> configuration that's wrong.

In that case your firewall is doing NAT instead of policy routing.

Regards,


Antony.

> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] 
> On Behalf Of Antony Stone Sent: 08 September 2016 09:36
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Transparent Proxy
> 
> On Thursday 08 September 2016 at 10:12:48, John Sayce wrote:
> > For testing purposes I've reduced it to the following:
> > 
> > http_port 3128 intercept
> > #dns_v4_first on
> > dns_nameservers 10.8.2.3 194.168.4.100 10.8.2.2 8.8.8.8 acl wifi src
> > 10.8.14.0/24 acl all src all http_access allow all 
> > maximum_object_size
> > 1 GB minimum_object_size 0 KB maximum_object_size_in_memory 4 MB 
> > cache_mem 1700 MB cache_dir aufs /var/cache/squid 40000 32 512 
> > coredump_dir /var/cache/squid access_log /var/log/squid/access.log 
> > squid cache_log /var/log/squid/cache.log
> > refresh_pattern ^ftp:           1440    20%     10080
> > refresh_pattern ^gopher:        1440    0%      1440
> > refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> > refresh_pattern .               0       20%     4320
> > cache_effective_user asd
> > cache_effective_group asd
> > cache_mgr jsayce at asdlighting.com
> > forwarded_for off
> > 
> > The version is 3.5.12
> > 
> > Okay.  Sorry, to clarify with a specific example.
> 
> Don't apologise - specific examples are good, because it makes sure 
> we're both talking about the same thing (and sometimes, as below, 
> reveals little details about the network arrangement which weren't previously clear).
> 
> > Lets say I'm contacting http://1.1.1.1/ then the ack packet starts 
> > off with the client with ip address 10.8.14.9
> 
> So, source IP = 10.8.14.9 : destination IP = 1.1.11
> 
> > in subnet 10.8.14.9/24 with default gateway 10.8.14.1.
> > It's routed through my core switch to my my firewall with ip 10.8.1.1.
> 
> So that's a router, not just a switch?  It has one interface 10.8.14.1 
> on subnet 10.8.14.0/24 and another interface on (presumably) 
> 10.8.1.0/24 pointing at 10.8.1.1 as the next-hop route towards 1.1.1.1
> 
> > My firewall recognises that the packet has a destination port 80 and 
> > is in subnet 10.8.14.0/24
> 
> The source address is in that subnet, yes.
> 
> > and changes the destination address to be that of my proxy server 
> > 10.8.2.11.
> 
> No - see below.
> 
> > So now the ack packet has source 10.8.14.9 and destination 10.8.2.11.
> 
> No, it doesn't.  When a packet goes via a router, its destination IP 
> address is not changed to the address of the next-hop router 
> (otherwise things would never work across the Internet).
> 
> It's only the destination MAC address in the encapsulating ethernet 
> frame which gets changed to that of the next-hop router.  The source 
> and destination IP addresses inside are not touched.
> 
> > How does iptables know to reply to my client 10.8.14.9 with source 
> > address 1.1.1.1?  Does iptables know to read the header?
> 
> TCP header, yes.
> 
> HTTP header, no.
> 
> Just think about the very first link between the client and its 
> default
> gateway:
> 
> Packet with source address = 10.8.14.9, destinatoin address = 1.1.1.1
> 
> How does that packet get to the default router 10.8.14.1?  Its 
> destination IP is 1.1.1.1, so that doesn't help.
> 
> It's because the destination MAC address in the ethernet frame 
> containing that IP packet is the MAC address of 10.8.14.1.
> 
> A few minutes playing around with wireshark on your network could be 
> quite enlightening :)
> 
> 
> 
> Regards,
> 
> 
> Antony.

--
"Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list