[Shorewall-users] Trouble w/ transparent proxy in DMZ (fwmark, tc)
teastep at shorewall.net
Mon Feb 28 10:52:24 PST 2005
Tom Eastep wrote:
> zerbat at gmx.net wrote:
>>I did some tests running netcat in listen mode on the DMZ machine (netcat -l
>>-p 80) and tried to connect to some external webserver from a local net
>>machine (netcat 184.108.40.206 80). I had expected that I could see my typing
>>on the DMZ machine, but netcat tells me that no packets could be received or
>>sent. The same setup works fine when I just open the firewall for loc->DMZ
>>connections on port 80 (no fw marking, ip routes or tc rules).
>>The problem occurs no matter if I redirect port 80 to 3128 on the DMZ
>>machine (and then listen there) or not.
> It will NEVER work without the REDIRECT rule on 192.168.200.10 because
> the packets aren't addressed to that system!!!
And now that I think about it some more, it will NEVER work because the
client is expecting a reply from the original destination (which Squid
determines using a special getsockopt() call).
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
More information about the Shorewall-users