Hi, again a late response. Sorry for that.
This classical REDIRECT issue with a transparent proxy and iptables is already discussed on several websites. The shorewall web site is one of theme. Have you checked that ? You might also want to read the Squid section ... while you're at it ;o) >Marko Vukovic <[EMAIL PROTECTED]> writes: > Howdy > > I have a MNF8.2 with 3 interfaces: WAN, DMZ, LAN. There is a web server on > the DMZ listening on 192.168.1.2:80 > > The A record for this web site is 196.31.xx.xx, which is the Firewall's > external interface IP -so I have this forwarding rule. > > ACCEPT:info wan dmz:192.168.1.2 tcp http 196.31.xx.xx > > This works fine from the outside, but a problem occurs from the inside. > The firewall is running Squid in transparent caching mode, so when a user > attempts to browse to the site, Squid tries to connect to the 196.31.xx.xx > interface, unsuccessfully - so I add this rule: > > ACCEPT:info fw dmz:192.168.1.2 tcp http 196.31.xx.xx > > This doesn't work, so I try: > > ACCEPT:info fw:172.16.1.1 dmz:192.168.1.2 tcp http 196.31.xx.xx why not simply ACCEPT:info fw dmz tcp http for the moment ? > Where 172.16.1.1 is the firewall's internal interface. This doesn't work > either -the Squid tries to connect, but eventually just times out. Here's > what gets logged: > > Sep 8 11:36:59 napalm kernel: Shorewall:fw2dmz:ACCEPT:IN= OUT=eth2 > SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 > PROTO=TCP SPT=46007 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > eth2 is the DMZ interface. I see SRC=192.168.1.1, so I modify the rule to: > > ACCEPT:info fw:192.168.1.1 dmz:192.168.1.2 tcp http 196.31.xx.xx > > This makes no difference. To get around this problem, I have to 'fake' the > A record for the web server, pointing it directly to 192.168.1.2. This is > not ideal though :( > > Any help would be much appreciated. The solution is available only on MNF2 through the web interface because you would need to edit the REDIRECT rule and add something like !196.31.xx.xx so your proxy will not cache that web site. my 2cts, -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
