Amos,
Clearly as you said, the iptables works not only for port forwarding, but also for filtering. The security reason looks like the real reason that we need to use iptables for transparent caching.
This is what I want to be 100% clear about.
Thanks,
Shan
-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Tuesday, March 20, 2012 6:49 PM
To: squid-users_at_squid-cache.org
Subject: RE: [squid-users] Re: transparent caching
On 21.03.2012 06:36, Zhu, Shan wrote:
> Hi, Gareth and others,
>
> My situation is like part of you said, I am using the proxy server as
> a "gateway" and the clients are not aware of it.
>
> I am setting the squid to run on port 80, with only this
> configuration.
>
> ***
> http_port 80 transparent
> ***
>
> For experiment, I have no rules in IP tables, and it's turned off.
You sure about that? somehow packets from client are being NAT'd to arrive at Squids IP address.
When they leave the client they say something like "destination 10.0.0.4:80" and for squid to pick them up they have to say something like "destination 127.0.0.1:80" (or any of the IP addresses assigned to the Squid box).
> It's basically working, at least for HTTP for now.
>
> Please also check this post:
> http://www.deckle.co.za/squid-users-guide/Transparent_Caching/Proxy
>
As opposed to the wiki maintained by the Squid authors:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
> From: GarethC
>
> If you set your Squid server to run on port 80, you could still run it
> as a transparent proxy, you would still need to do the port forwarding
> from your firewall to the Squid server.
>
such as:
iptables ... --dport 80 -j DNAT --to $SQUIDIP:80
Amos
Received on Tue Mar 20 2012 - 23:05:28 MDT
This archive was generated by hypermail 2.2.0 : Wed Mar 21 2012 - 12:00:03 MDT