Amos Jeffries-2 wrote:
>
> On Tue, 4 Aug 2009 17:01:45 -0700 (PDT), casket88
> <jamespeek_at_oldfields.com.au> wrote:
>> Hi,
>>
>> We have several interconnected branches on their own networks. I would
> like
>> to shut off web access directly from all branches except head office.
>>
>> We have an Untangle gateway configured as a transparent bridge at head
>> office that all traffic passes through. I would like to keep on using
> this
>> for content filtering and logging. However I want a Squid server to be
> able
>> to accept connections from our branches, use its caching and then
> redirect
>> it out through the Untangle gateway for loggin. We will be redirecting
> all
>> web traffic on our Cisco routers at each branch to the proxy server.
>>
>> I have Squid set up to allow connections from all our internal networks
> and
>> set up IPtables with the following command:
>>
>> ptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port
>> 3128
>>
>> This all works fine and I am able to surf throguh the proxy, which
> appears
>> to be caching correctly and forwarding it to our gateway which performs
> the
>> content filtering and logging. The only problem is that through the NAT
>> process the source IP address is replaced with that of the Squid's and is
>> logged accordingly.
>
> Yes. This is how NAT operates.
>
>>
>> How would I go about configuring Squid to accept connections, cache them
>> and
>> then forward the request on to the webserver via the gateway WITHOUT
>> replacing the source IP address?
>
> Get rid of NAT and use TPROXY for the capture instead.
>
>>
>> In summary: user requests connection to website on port 80, request
>> transparently redirected to Squid on Cisco router, Squid accepts it and
>> forwards it to webserver through gateway.
>
> NP: Your word 'transparently redirected' appears to mean 'routed' in that
> paragraph. Please use the word 'transparent' less
> /rant.
>
The useage of the word "transparent" is in reference to the users, it is
transparent to them. Transparent is a good word, I think I'll use it more.
Regardless, I will look in to TPROXY.
Thanks.
-- View this message in context: http://www.nabble.com/Squid---Not-replace-source-IP-address-tp24818364p24818555.html Sent from the Squid - Users mailing list archive at Nabble.com.Received on Wed Aug 05 2009 - 00:24:45 MDT
This archive was generated by hypermail 2.2.0 : Mon Aug 10 2009 - 12:00:15 MDT