On Tue, 6 Dec 2011 21:05:27 +0700, Nguyen Hai Nam wrote:
> Hi Edmonds,
>
> That's really like my setup right now. But, as Amos said, the traffic
> just pass from eth0 to eth1 but don't come to Squid, because it's
> bridged. Actually, when watching IP nat table, I still found some nat
> rules show up, but at client-side it still looks direct access. And
> more strange, if I use an other linux box from LAN to check out by
> curl -I http://something.com/ it's returned the header fields that
> has
> "Via: 1.1 (squid 3.2)". I have no idea why.
Hold up. This sounds like it actually *is* working. Possibly you just
have some rule that works for one client or subnet but not another.
From the client it *does* look like direct access. This is IMO why
people seems to confuse it with transparent proxy. Only with intercept
the server sees the Squid IP as the source.
With a bridging box there are four components that have to be
configured properly:
- bridging rules (on Linux ebtables) must DROP the packets off the
bridge logic as they go through the bridge machine (ie they enter the
machine and *do not* get bridged, they must stay local to that box).
- NAT rules, to pass the packets to Squid *after* they are 'dropped'
off of the bridge logic.
- routing rules, to properly route the squid outbound packets to the
network gateway (and back).
- firewall & security limits, to permit any LAN packets to be handled
by the bridge box locally. Also to permit the squid<->server traffic
in/out.
You will notice these are all the same requirements (and configuration)
as required for a routing box but with ebtables/bridging added on top.
Amos
>
> At this moment, I still don't find more documentation from IPfilter
> for deeper discovery.
>
> ~ Neddie
>
> On Tue, Dec 6, 2011 at 12:03 PM, Edmonds Namasenda
> <namasenda_at_gmail.com> wrote:
>> Hai,
>> Seems your network set-up is what might be ruining your connection
>> expectations or the "default gateway" needs a rule (possibly using a
>> firewall) to direct all HTTP traffic to the squid box rather than to
>> the internet.
>>
>> Otherwise, think of the set-up below (with the Squid box the same as
>> the Gateway)
>>
>> Internet Router >> Eth0 |- Squid box & Default Gateway -| Eth1
>>>> Switch >> LAN
>>
>> # Edz.
>>
>> On Mon, Dec 5, 2011 at 5:14 PM, Nguyen Hai Nam <nam.nh_at_nd24.net>
>> wrote:
>>>
>>> Hi Amos,
>>>
>>> You're right, switch is not really true.
>>>
>>> But I still can't find the way on Solaris-like system like
>>> /proc/sys/net/bridge
>>>
>>>
>>> On Mon, Dec 5, 2011 at 7:25 PM, Amos Jeffries
>>> <squid3_at_treenet.co.nz> wrote:
>>> >
>>> >
>>> > "Like a switch"? or or did you really mean "like a bridge"?
>>> >
>>> > * switch ... no solution. Switches do not perform the NAT
>>> operations
>>> > required for interception. They also don't run software like
>>> Squid, so I
>>> > think this is a bad choice of word in your description.
>>> >
>>> > * bridge ... requires dropping packets out of the bridge into the
>>> routing
>>> > functionality. See the bridge section at
>>> >
>>> http://wiki.squid-cache.org/Features/Tproxy4#ebtables_on_a_Bridging_device
>>> >
>>> > Amos
Received on Tue Dec 06 2011 - 21:53:00 MST
This archive was generated by hypermail 2.2.0 : Wed Dec 07 2011 - 12:00:02 MST