For correct operation you need to do the NAT on the proxy server itself, or else some HTTP applications will break as the NAT:ing will destroy the intended destination address. Squid also needs to be compiled with support for netfilter (or whatever final interception method is being used).
If you do the traffic separation separately form the proxying then the box doing the traffic separation needs to know how to route TCP connections. I don't think this can currently be done in the bridge code. Lennert: Would it be possible to extend the bridge to force selected packets to be routed rather than bridged without having to NAT them (i.e. what the "divert" module does)? This combined with some netfilter hacking like my CONNMARK extension would open up for some quite fashinating TCP routing/diversion, allowing the "bridge" to redirect selected TCP sessions to another hop in the network (GRE tunnels can be used for "long-range" routing if the next hop isn't local) in a quite reliable manner, fully supporing Path MTU discovery, related connections (i.e. FTP data channels) etc... There is no strict requirement for an IP address on such TCP routing bridge box, but if it doesn't have an IP address then it will need to have a static ARP table of all "next hop" addresses. Or alternatively, one can do as you have done: Doing DNAT in the bridge will work for the majority of browsers out there. If the return traffic "normally" does not go thru the bridge, then your can use SNAT to force it to go that way. However, this comes at the price of no longer having source IP addresses available in the proxy logs.. (all will appear as if coming from the SNAT address). Alternatively you can solve this by plain routing. Assign an IP on the bridge, and configure the proxy to route all return traffic of intercepted requests via this IP. Regards Henrik Nordstr�m On Sunday 25 November 2001 11.43, [EMAIL PROTECTED] wrote: > Hello , > > I am using 2.4.14 with bridge-nf-0.0.3 acting as a transparent firewall > between my network and our upstream . I have setup inside my local network > a box with squid setup in transparent proxy mode . However I havent been > able to figure out the appropriate iptables rules needed in the bridge box > . The transparent proxy minihowto seems to assume that the iptables box > has an ip address , which is not the case in my setup . I have 2 nics > doing bridging & firewalling and thats all . _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
