Re(2): [Shorewall-users] Squid redirect

Tom Eastep teastep@shorewall.net
Tue, 16 Jul 2002 10:11:42 -0700 (PDT)


On 16 Jul 2002, SHOREWALL TimeLord wrote:

> Tom Eastep  (16.7.2002  18:48):
> >On Tue, 16 Jul 2002, Tom Eastep wrote:
> >
> >> On Tue, 16 Jul 2002, Richard Cochius wrote:
> >>
> >> > Hallo,
> >> >
> >> > i got a little problem with redirection.
> >> >
> >> > The situation is:
> >> >
> >> > I want the redirect queries to port 80,443,21 and 20 to an proxy server.
> The
> >> > users and the proxy are in the same network. The proxy doesn´t run on the
> >> > the firewall.
> >> > The proxy has address 192.89.12.231 and ist listen on port 8080. The
> >> > Firewall has on the local side 192.89.12.234.
> >> > So how can I redirect all queries to the proxy server accept queries from
> >> > the proxy server.
> >> >
> >>
> >> DNAT       loc:!192.89.12.231   loc:192.89.12.231    tcp    80
> >> DNAT       loc:!192.89.12.231   loc:192.89.12.231    tcp    443
> >> ...
> >>
> >
> >That having been said, I seriously doubt that this will work the way you
> >expect.
> 
> 
> 
> 
> I'm sure it will not work.. They are in the same subnet ...
> 

That redirection will work provided that "multi" is specified on the local 
interface (this is sort of a variation on FAQ #2). The problem is that I 
believe Squid relies on a special getsockopt() function that returns the 
original destination IP address. That address is only available on a local 
REDIRECT.

It's been a while since I read the LARTC HOWTO but I believe that the 
firewall needs to use policy routing and the system where SQUID is running 
needs to REDIRECT the ports.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net