From: "Amos Jeffries" <squid3@treenet.co.nz>
Thanks for the quick response :-
>
> Most common failure like this requires 'you need to patch the kernel', but
> it sounds like that's been done.
>
Yupe this has been done.
> Next step is seeing what tcpdump shows about the two types of traffic.
> And possibly what type of router/balancer is doing the splitting?
>
This has been done too. Very clearly, tcpdump shows that for the
none NAT-ed leg, the identity of the original requests have been
spoofed, but the bad thing is that, it also spoofed the NAT-ed leg
as well despite there is a POSTROUTING rule to do SNAT in
the nat table. Seems to me the 'tproxy' directive in squid makes
iptables nat POSTROUTING SNAT useless !
>
> PS. Do you HAVE to use tproxy?
YES. It works if I don't use it together with nat.
> If the NATing isn't a problem you could use
> a plain intercepting/transparent proxy and have remote sources down both
> streams see the squid IP as the source of requests.
>
That will be undesirable for the none-NAT-ed leg because the traffic
will head towards an firewall will screen/filter the outgoing traffic based
on the source IPs.
Received on Mon Oct 22 2007 - 20:03:21 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT