On 18/07/2014 7:51 p.m., Nicolás wrote:
> Hi Amos,
>
> El 18/07/2014 5:21, Amos Jeffries escribió:
>> On 18/07/2014 7:25 a.m., Nicolás wrote:
>>> Ok, I'll try to explain the scenario again and more detailed (I remark
>>> that I'm using this guide which states that it should work for public IP
>>> addresses:
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource):
>>>
>>> Client side: Has public IP address A.B.C.D
>>> Server side: Has public IP address E.F.G.H
>>>
>>> On the client side, I added the following iptables rule:
>>>
>>> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT
>>> --to-destination
>>> E.F.G.H:3128
>> Okay. The situation seems clear now. This rule is capturing both the
>> client UA output traffic and Squid output traffic.
>>
>> You need the rule omitting Squid from being catured. The config example
>> should have mentioned it, I have added that now.
>>
>> iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport
>> 80 -j ACCEPT
>>
>> Note the one you tried earlier and failed was in PREROUTING, not OUTPUT.
>> This should be the correct one.
>>
>
> Unfortunately, this one neither seems to make a difference. On the squid
> box, the squid daemon is run by user proxy so I got the UID and replaced
> it in the rule you provided:
>
> # id proxy
> uid=13(proxy) gid=13(proxy) groups=13(proxy)
>
> So on the client box:
>
> iptables -t nat -A OUTPUT --match owner --uid-owner 13 -p tcp
> --dport 80 -j ACCEPT
>
> Then I appended the DNAT rule.
>
> However, I should have (re)mentioned it: Additionally to have different
> public IP addresses, both the client box and the squid box are on
> different networks (basically the squid box is located in a different
> country than the client box). Should that make a difference?
Depends on how the packets get from one country to another. These are
the fundamental limits on packet handling:
1) There MUST NOT be any NAT manipulation of the packets destination IP
prior to their arrival on the Squid machine.
- However, source-IP:port manipulation as done by gateway machines
NATing outbound traffic from internal private source-IP to public ranges
is okay.
2) a network interface tunnel should not be producing OUTPUT chain
packets. Traffic arriving through that type of tunnel should be dealt
with as per packets arriving on a standard NIC.
- Traffic arriving via application layer gateway (another proxy, or
userland VPN client) *might* go through the OUTPUT chain and need
handling as if sourced internally.
3) if the packets contain HTTP in port-80 syntax the "intercept" or
"tproxy" option is mandatory which one depending on method of capture.
- If the packets were destined *to another proxy* Squid does not
require the "intercept" option to receive.
> Additionally, the UID 13 corresponds to the squid box, should that work
> even if on the client box UID 13 corresponds to a different user?
The purpose of the UID is to prevent Squid outbound traffic being
captured by the NAT in the OUTPUT chain. It is used on and applies only
to the machine running Squid. see rule #1 above. NAT must only be
performed on the machine running Squid.
>
> Also if you wish, I can run squid with the -N -d options and send you
> the output log, so you probably will rapidly know what else could be
> happening there.
"debug_options 11,2" in squid.conf is going to provide you with a good
trace to see what is happening. Better than access.log will in these
circumstances.
Amos
Received on Fri Jul 18 2014 - 08:32:48 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 18 2014 - 12:00:04 MDT