[tproxy] NAT to TPROXY convertion rules
KOVACS Krisztian
hidden at balabit.hu
Mon Jan 15 12:17:29 CET 2007
Hi,
On Saturday 06 January 2007 15:44, zulkarnain wrote:
> I'm running tproxy with the squid server in different
> box, my topology look like this:
>
> [Client]-------[Squid]---[tproxy/FW]----[Web server]
> 192.168.1.3 192.168.1.2 192.168.1.1 192.168.2.2
> 192.168.2.1
>
> [squid]
> - tproxy patched kernel and iptables-1.3.6
>
> [tproxy/FW]:
> iptables -t tproxy -A PREROUTING -i eth0 -s !
> 192.168.1.2 -m tcp -p tcp --dport 80 -j TPROXY
> --on-port 3128 --on-ip 192.168.1.2
It looks like you're somewhat confused where the tproxy patches should
go. If Squid and the firewall are on different machines, you don't have
to use tproxy on the firewall itself but on the Squid machine. In that
case something like the rule above should be working.
> with the config above, my squid not running well. I
> read on "Transparent Proxy with Linux and Squid
> mini-HOWTO" there are some rules I've to configure
> which is;
>
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box
> -p tcp --dport 80 -j DNAT --to squid-box:3128
>
> iptables -t nat -A POSTROUTING -o eth0 -s
> local-network -d squid-box -j SNAT --to iptables-box
>
> iptables -A FORWARD -s local-network -d squid-box -i
> eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
I guess these rules are not for the setup you've described. It seems to
me that this would be appropriate you used something like this:
192.168.3.2
[Squid]
+
[Client]-----[FW]------------[Web server]
192.168.1.3 192.168.1.1 192.168.2.2
192.168.2.1
192.168.3.1
--
Regards,
Krisztian Kovacs
More information about the tproxy
mailing list