[linux] transparent proxy SQUID * ako obist spatne presmerovanie - endless loop

[Matus UHLAR - fantomas]

> On Mon, Sep 25, 2006 at 08:28:01PM +0200, Jan Kunder wrote:
> > (podmienkou je *transparentne* proxy

citat z RFC2616:
      A
      "transparent proxy" is a proxy that does not modify the request or
      response beyond what is required for proxy authentication and
      identification.

takze chces skor odchytavat spojenia, nie transparentny (a ani
*transparentny*) proxy.

> > - cize sa nebude nikde nic 
> > nastavovat v IE/FF prehliadacoch a vobec - teraz to takto ide uplne OK - 
> > teda az na rychlost)

preco nechces nastavovat proxy? odchytavanie spojeni ti moze priniest
niekolko problemov (napriklad s MTU discovery).

> > Terajsi stav je velmi kednoduchy (server1):
> > $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i ! $INET_IFACE \
> >       -d ! $INET_IP -j REDIRECT --to-port 3128

On 25.09.06 20:42, Lubomir Host wrote:
> Dopisat do tohto pravidla podmienku, aby traffic zo siete forwardoval na
> main2:3128, ale okrem trafficu z main2:
> 
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i ! $INET_IFACE \
>       -d ! $INET_IP -s ! $main2_ip -j DNAT --to $main2_ip:3128
> 
> Snad to pojde. ;)

obavam sa ze nie. ak totiz preNATujes adresu ciela, proxy sa uz nedozvie kam
si sa chcel pripojit takze mas smolu. ak ma byt proxy na inom servri ako
routri, musis pakety presmerovat bez NATu, t.j. pouzit vlasnosti zvanu
policy routing, pakety forwardovat na pocitac kde bude bezat proxy (nastav
it next hop) a tam si to starou technikou presmerovat na proxy server.

-- 
Matus UHLAR - fantomas, uhlar na fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.