From: "Amos Jeffries" <squid3@treenet.co.nz>
>
> No not useless. The NAT should be symmetrically unmangling any mangled
> destination on incoming traffic. As far as NAT is concerned the client is
> the real requestor. You just need to be careful that the unmangling
> happens BEFORE the tproxy return redirection toward squid.
>
> The internal side of the NAT gateway can and should be treated identical
> to the non-NAT firewall you mentioned. Both need to operate independant of
> tproxy and on the external side of any tproxy operations.
>
But the fact is that as soon as I turn on squid directive,
http_port 3128 tproxy transparent
I will get private IP belonging to the original http web requestor
appearing
in the internet line ----- EVEN THOUGH ----- I do have a POSTROUTING
rule in the nat table to SNAT. As a matter of fact,
iptables -t nat -nvL POSTROUTING
shows that the SNAT rule has been traversed ( and the counter is incremented
! ).
The problem goes away and everything works perfectly when I remove
'tproxy' in the squid directive !
Received on Mon Oct 22 2007 - 22:38:32 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT