Forgive me Tom, I''m a little confused. Are you talking about using
marking
or "Original Dest" stuff? I don''t know that I could use
"Original Dest"
because the IP address could change and that would mean restarting
shorewall. I guess it could be put in /etc/ppp/ip-up.local to restart
shorewall every time the ppp connection is restarted (doesn''t happen
very
often, but still have to handle it)
Here is my rule right now.
## For transparent proxy
REDIRECT loc 8080 tcp www
I forgot one bit of information, but I don''t know that it makes a
difference. I''m running Dan''s Guardian on 8080 and it then
forwards on the
firewall box to squid (also running on firewall). I don''t think this
really
has any bearing though as the desired effect is to have requests to the
firewall from itself on port 80 need to be redirected back into the LAN.
I''ve had problems in the past where a DNAT command on the firewall to a
host
in the same zone as the client doesn''t work.
Here is some more detail.
ppp0 eth0 [ Client in LAN
ISP - Firewall - switch - |
squid [ Server in LAN
ppp0 is actually a PPTP connection to the ISP and assigned a public routable
IP. eth1 is a wireless card with an RFC1918 IP address.
-- Client makes request for public IP address using Web Browser.
-- Data goes to firewall and is transparent proxied to Dan''s Guardian
-- Dan''s Guardian passes the request on to squid also running on
firewall
-- Squid makes request on behalf of client to public IP address. (request
sourced from localhost)
-- Firewall isn''t running web server so squid returns "connection
refused"
error
I need to bypass squid or forward the request from localhost to a machine on
the LAN, back to the firewall and then eventually returning the data to the
client. It''s like one big hairpin turn.
Thanks,
Charlie
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Wednesday, March 26, 2003 7:44 PM
To: Charles J. Boening
Cc: shorewall-users@lists.shorewall.net
Subject: Re: [Shorewall-users] Squid Problem
On Wed, 26 Mar 2003, Charles J. Boening wrote:
> Depending on the answer, this may be slightly OT.
>
> I have shorewall and squid running successfully with transparent proxy
> both on the same gateway server.
>
> I have a web server behind shorewall and have successfully forwarded
> port 80 from the public network back to my privately addressed LAN.
>
> DNS for my web server points to a CNAME at dyndns.org that''s
updated
> whenever my public IP changes.
>
> Here''s my problem. When a client machine requests a web page from
our
> web server, it resolves the public IP address, makes the request,
> squid picks it up via transparent proxy and then tries to access the
> site. Problem is, squid is trying the public IP address and there
> isn''t a web server running on the gateway machine.
>
> Can I redirect the request from squid, running on the firewall, using
> shorewall?
>
If you follow the instructions at
http://www.shorewall.net/Shorewall_Squid_Usage.html, then Squid
shouldn''t
intercept the incoming requests in the first place.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net