[squid-users] Squid on separate box and it can't see packets

Eliezer Croitoru eliezer at ngtech.co.il
Mon Feb 20 21:25:43 UTC 2017 

And just wanted to add a note that some Linux machines will act as an HUB\BRIDGE by default in a similar scenario(will not drop packets..).
I noticed it while working on some tiny lab and it's better to have the linux machine with ipv4_forward turned on with an iptables DROP rule rather then without(with some distros and some specific kernels).

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Friday, February 17, 2017 3:59 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid on separate box and it can't see packets

On 15/02/2017 9:18 a.m., John Pearson wrote:
> Hi,
> 
> Is this squid box a router or just a proxy?
> - just a proxy

There is the first problem.

NAT interception needs the machine Squid is running on to be configured
to operate as a router. It will be receiving packets destined to a
machine other than itself.

> 
> What tcpdump command did you ran?
> - sudo tcpdump -i eth0
> 
> What is the networks that are involved?
> Setup:
> 
>> Client        (192.168.1.8) --->  |     Rotuer        |
>>                                                | gateway/dhcp | --->
>> Internet
>> Squid box (192.168.1.2) --->  |  192.168.1.1   |
> 
> 
> Here Client (debian), squid (debian) and router are three separate devices.
> 

So the Squid machine;

requires this bit you did:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>

PLUS the system TCP stack controls to turn it from a origin-server host
to a routing host. Otherwise the machine will silently drop packets not
destined to itself.


The router machine requires this:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#When_Squid_is_Internal_amongst_clients>

The router machine probably also needs the "Routing Setup":
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#Routing_Setup>

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list