Re: Squid/Cisco trans proxy

From: Marc Lucke <hohum@dont-contact.us>
Date: Wed, 26 Jan 2000 13:01:24 +1100

Here is my ipchains input list - can you see anything wrong?

Chain input (policy ACCEPT):
target prot opt source destination ports
accin all ------ <our network>/25 anywhere n/a
ACCEPT tcp ------ anywhere <our network>/24 any ->
any
ACCEPT tcp ------ anywhere <another network>/24 any ->
any
REDIRECT tcp ------ anywhere anywhere any ->
www => webcache

To me this should work fine.

Also, od you have any theories why it works for all single computers & it
fails for routers? Is it that the routers listen to the redirects?

At this point any theory you have now or later is very appreciated.

Marc

> From: Henrik Nordstrom <hno@hem.passagen.se>
> Date: Wed, 26 Jan 2000 01:27:33 +0100
> To: hohum@sydney.cc
> Cc: "info@talent.com.au" <info@talent.com.au>, "squid-users@ircache.net"
> <squid-users@ircache.net>
> Subject: Re: Squid/Cisco trans proxy
>
> hohum@sydney.cc wrote:
>>
>> Thanks Henrik,
>>
>> Did you see my later message? I have completed a tcpdump & found out
>> that what is happening is that the router is sending an ICMP redirect
>> to the client to go to our proxy & the proxy is sending an ICMP
>> redirect to the client to go to our router - it gets caught in a loop
>> & goes nowhere.
>
> Sounds like your redirection rule on the Linux box is the error. It
> should only generate a ICMP redirect if it forwards the packet, and the
> packet should only be forwarded if it is not redirected to the local TCP
> port.
>
> Hmm.. have you enabled always defragment? It is a requirement when doing
> TCP redirection.. (I think this may actually be enforced by the
> makefiles or kernel, but I am not sure).
>
> /Henrik
Received on Tue Jan 25 2000 - 19:00:36 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:42 MST