RE: [squid-users] By passing squid for a subnet

From: Tony <tony@dont-contact.us>
Date: Fri, 28 Apr 2006 07:27:07 +0100

>> We have Cisco that is terminiating an L2TP tunnel which our users connect
>> on.
>> Each user that we went to send to our squid box has a per virtual >>
interface
>> policy map assigned via radius to forward port 80 traffic to our squid
>> server.
>> On the squid server we have the following rules to do this.
>>
>> ###############
>> /sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j
>> MASQUERADE
>> /sbin/iptables -A PREROUTING -t nat -p tcp -s 10.0.0.0/20 --dport 80 -j
>> DNAT
>> --to 192.168.0.4:3128
>> ###############
>>
>> This all works fine for all web browsing expect for a second subnet that
>> is
>> also connected to the same Cisco router.

> Is this also within the 10.0.0.0/20? If not you'll need one more
> iptables rule to intercept that network as well..

The IP range 10.0.0.0/20 are the IP addresses assigned to users who
connected over the L2TP tunnel. The web servers connected to the Cisco on
the second subnet are on 10.1.1.0/24.

>> Without the policy map assign they can, and they also can if the set
>> their
>> web browser to proxy via the squid server on 192.168.0.4 on port 80 as
>> the
>> policy map would do.

> explicit proxy settings and policy routing with interception is very
> different beasts.

> the first is plain IP networking following all standards.

> the second is a hack, violating the fundamental end-to-end property of
> TCP/IP networking only to work around application shortcomings. (the
> inability to tell the browser to use the proxy proper)

>> So this tells me it's not the squid server in anyway.

> Well, it for sure isn't Squid being the problem, but it may still be the
> server Squid runs on. See above.

True it could well be the server squid is running on.
For some reason it just won't send the web request out of eth1 but instead
tries to reach the 10.1.1.0/24 network via the Cisco router.
The eth1 interface has 10.1.1.200 assigned to it and a traceroute to the
10.1.1.0/24 network shows 1 hop out of eth1, but web requests from squid
don't seem to be going that way.
Is there a way of forcing squid to send all web requests for 10.1.1.0/24 out
through eth1?

Tony 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Received on Fri Apr 28 2006 - 00:27:21 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT