[squid-users] Intercept mode failing
Hoggins!
fuckspam at wheres5.com
Tue Jan 3 10:53:45 UTC 2017
Hello,
(answering to both Amos and Antony here, you got the same questioning ;) )
Le 03/01/2017 à 11:45, Amos Jeffries a écrit :
> On 2017-01-03 23:13, Hoggins! wrote:
>> Okay, I get that.
>>
>> Le 03/01/2017 à 10:33, Antony Stone a écrit :
>>> No - you must do the NAT (or REDIRECT) rule *on the Squid server*.
>>
>> Well, my Squid server is not on the same network as my clients, so I
>> need something else than just a REDIRECT on the Squid itself.
>
> That does not matter when the DNAT or REDIRECT is done on the Squid
> machine.
OK, I'll have a deeper look into that, indeed I'm not familiar with what
REDIRECT *exactly* does.
>
>>
>>>
>>> If you need to use policy routing to get the packets to the Squid
>>> machine in
>>> the first place, that's okay, but this *must* be packet routing, not
>>> address
>>> translation
>>
>> Policy routing was my first choice, but there is one important detail in
>> my setup : between my gateway (192.168.22.10) and my Squid
>> (192.168.55.3), there's an IPSec tunnel. My gateway does not have a
>> link-local route to 192.168.55.3 so I can't add the default route to it
>> inside a routing table (I get "Network is unreachable", which is
>> expected).
>>
>> So I guess I'm stuck.
>
>
> So how did the packets get to the Squid machine after your DNAT ?
>
> The route does not have to be link-local. Any type of route will do so
> long as all the routers handling the packets know which way to pass
> them, and the dst-IP address is not changed.
Well, xfrm routing is a lot different than "classic" routing, I learnt
it the hard way. DNAT *will* work whereas policy routing won't if I
don't explicitly declare all my subnets in my IPSec tunnel
configuration. Got a big discussion about that on StrongSwan's
mailing-list, and I believe this sums it up pretty nicely :
http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png
Anyway, yes, if I try to add a route by :
ip route add default via <IP ADDRESS> table 123
<IP ADDRESS> *has* to be directly reachable. Or it has to be in the
routing table somehow. But the routing table handling the tunnelled
packets is not managed by iproute2.
So as I can't do otherwise, I'm going to experiment a bit more with the
REDIRECT + DNAT between the gateway and the Squid server.
Thanks for your help !
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170103/de86e190/attachment.sig>
More information about the squid-users
mailing list