Find the answer to your Linux question:
Results 1 to 3 of 3
Hi there, i just finished setup a proxy machine that runs in a separate box from gw. the adresses i use in firewall are squid box = 10.5.5.121 gw = ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2010
    Posts
    2

    transparent proxy with squid and iptables won't log IPs from lan


    Hi there,

    i just finished setup a proxy machine that runs in a separate box from gw.
    the adresses i use in firewall are
    squid box = 10.5.5.121
    gw = 10.5.5.1
    lan = 10.5.5.0/24

    i have the following iptables rules

    on squid box

    Code:
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    on gw
    Code:
    iptables -t nat -A PREROUTING -i eth1 -s ! 10.5.5.121 -p tcp --dport 80 -j DNAT --to 10.5.5.121:3128
    iptables -t nat -A POSTROUTING -o eth1 -s 10.5.5.0/24 -d 10.5.5.121 -j SNAT --to 10.5.5.1
    iptables -A FORWARD -s 10.5.5.0/24 -d 10.5.5.121 -i eth1 -o eth1 -p tcp --dport 3128 -j ACCEPT

    everything appears to function right, except the fact that all the logs in squid log appear as if they're coming from gw IP 10.5.5.1, no matter from what machine they were initiated.


    here's an example

    Code:
    1282549242.411  74219 10.5.5.1 TCP_MISS/200 285 GET some_http_address - DIRECT/208.43.202.34 text/html
    my question is how can i modify the iptables rules so it will forward the real ip's where the requests are originated from.

    thanks in advance.

  2. #2
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    you are rewriting in PREROUTING the destination transparently to the application, thus the server at 10.5.5.121.

    it is something like alice asks bob a question. bob doesn't know, but he knows that john does. so he asks john and as soon as he gets the response from john, bob tells alice what the answer was. unfortunatly bob did not tell john that it was alice who wanted to know, so john has no possibility to determine who originally asked the question and will keep believing it was john that asked.

  3. #3
    Just Joined!
    Join Date
    Aug 2010
    Posts
    2
    thanks Kloschüssel for you answer, you made me understand the principle.

    unfortunately i'm a iptables newbie so i would like you to correct my iptables rules.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •