On Sunday 13 July 2003 19.31, Antony Stone wrote: > 1. Do you have an appropriate FORWARD rule to allow the packets > through the machine as well? > > 2. Do you have /proc/sys/net/ipv4/ip_forward = 1 so the box will > forward packets at all? > > 3. Does Squid listen on port 80 (transparent mode) or 3128 > (standard proxyign mode). If transparent, it may be interfering > with the packets through the Linux machine. > > 4. If you use the command "iptables -L -t nat -n -v -x" do you see > non-zero values for the packet and byte counters on the above rule? > (ie are any packets matching the rule and being NATted, but then > blocked somewhere else) > > 5. Does your ISP block incoming TCP Port 80 traffic,to stop people > running web servers on home connections ?
6. Does the web server route packets back to the Internet via your Squid server? If not all these are fulfilled NAT won't work.. The last can be solved by dual NAT (both DNAT and SNAT), but in such case there is no reason not to run a proxy instead. As Antony, I would recommend running a reverse proxy on your Squid server machine, listening to port 80 and forwarding requests to your web server. This only has the benefit that it is considerably easier to set up, you also get a kind of gatekeeper function in the Squid proxy blocking many invalid HTTP requests trying to exploit various web servers.. This Squid should preferably not be the same Squid instance you use for proxying. Install the aceclerator mode Squid with another prefix, and configure it like httpd_accel_host your.external.domain httpd_accel_port 80 icp_port 0 snmp_port 0 (if enabled) htcp_port 0 (if enabled) and add your.external.domain to /etc/hosts with the IP address of your web server. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
