transparent proxy with squid and iptables won't log IPs from lan

[kabuki]

Hi there,

i just finished setup a proxy machine that runs in a separate box from gw.
the adresses i use in firewall are
squid box = 10.5.5.121
gw = 10.5.5.1
lan = 10.5.5.0/24

i have the following iptables rules

on squid box

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

on gw

Code:

iptables -t nat -A PREROUTING -i eth1 -s ! 10.5.5.121 -p tcp --dport 80 -j DNAT --to 10.5.5.121:3128
iptables -t nat -A POSTROUTING -o eth1 -s 10.5.5.0/24 -d 10.5.5.121 -j SNAT --to 10.5.5.1
iptables -A FORWARD -s 10.5.5.0/24 -d 10.5.5.121 -i eth1 -o eth1 -p tcp --dport 3128 -j ACCEPT

everything appears to function right, except the fact that all the logs in squid log appear as if they're coming from gw IP 10.5.5.1, no matter from what machine they were initiated.


here's an example

Code:

1282549242.411  74219 10.5.5.1 TCP_MISS/200 285 GET some_http_address - DIRECT/208.43.202.34 text/html

my question is how can i modify the iptables rules so it will forward the real ip's where the requests are originated from.

thanks in advance.

[Kloschüssel]

you are rewriting in PREROUTING the destination transparently to the application, thus the server at 10.5.5.121.

it is something like alice asks bob a question. bob doesn't know, but he knows that john does. so he asks john and as soon as he gets the response from john, bob tells alice what the answer was. unfortunatly bob did not tell john that it was alice who wanted to know, so john has no possibility to determine who originally asked the question and will keep believing it was john that asked.

[kabuki]

thanks Kloschüssel for you answer, you made me understand the principle.

unfortunately i'm a iptables newbie so i would like you to correct my iptables rules.