[squid-users] By passing squid for a subnet from Tony on 2006-04-27 (squid-users)

From: Tony <tony@dont-contact.us>
Date: Thu, 27 Apr 2006 20:20:45 +0100

We have Cisco that is terminiating an L2TP tunnel which our users connect
on.
Each user that we went to send to our squid box has a per virtual interface
policy map assigned via radius to forward port 80 traffic to our squid
server.
On the squid server we have the following rules to do this.

###############
/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE
/sbin/iptables -A PREROUTING -t nat -p tcp -s 10.0.0.0/20 --dport 80 -j DNAT
--to 192.168.0.4:3128
###############

This all works fine for all web browsing expect for a second subnet that is
also connected to the same Cisco router.
If a user has the policy map assigned the can't browse this other subnet on
our Cisco.
Without the policy map assign they can, and they also can if the set their
web browser to proxy via the squid server on 192.168.0.4 on port 80 as the
policy map would do.
So this tells me it's not the squid server in anyway.

With the policy map assigned and running tcpdump on both the squid server
and a web server on the second subnet, it just shows the request trying to
be sent to the web server and it just seems to be bouncing back from the
Cisco, it never reaches the web server.
This shouldn't be so since no interface the second subnet is on has the
policy map assigned.
I've done a lot of hours of debugging on the Cisco and it just doesn't make
sense.
The web request doesn't even show up in the squid access log.

My first thought to get around this was to put the squid servers eth1 on the
second subnet, I thought this was since the subnet was physically connect to
the squid server it would just go out through eth1.
However we still get the same results.

Here is a simple diagram of the setup:

lt2p-tunnel---switch---cisco---switch---second-subnet
                | |
                | |
                ----- squid ------

So I'm wondering if I can do something with iptables that will force all
port 80 traffic for the second subnet out through eth1 before it redirects
it to port 3128.
I already have a nat table masquerading out through eth0 I don't know if I
can then do the same for eth1.

I wondered if anyone had any ideas at all?

Thanks
Tony

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Received on Thu Apr 27 2006 - 13:20:59 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT