hi
i have a problem in squid,indeed i have configured it correctly and i can use it as a proxy but as soon as i redirect to port 3128 ,it gives wrong answers to customers .i have a AS 5300 cisco i want route to cache server and then to router 1841 .i have two NIC .one for invalid ip and the other for valid.
i should mention that i use fedora core3 .i used the following command in my iptables file
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
and proxy on
host virtual
header on
is there anyone who can tell me what is my mistake?
thank you

Hi,

You've mention that you have a problem in the squid. Which problem is that?

Which specific error you've gotten ("...it gives wrong answers to customers...")?

Could you check if there are packages having match in your iptables rule? (iptables -t nat -A PREROUTING -L -n -v)


regards,

Thomas

thanks for ur care
indeed,my cache server bring wrong pages for customers.for example u people asking for gmail and they see google ,or asking for msn and recieve a white page.of course it work correctly when i use access-list in my AS5300 but i do not want do cache in this way.i want all data packages go through cache and i want cache server act as a nat server too.but with access list it is impossible



regards

kindly dscribe in some detail.

users get error on every request or on some specific websites?

what u do with access-lists on AS5300?

whats the gateway of as5300,linux? and how ur router sends traffic back to clients, via linux box or via as5300 ???

hi
As i mentioned ,i want give ip route command to AS5300 to send all packages to the eth1 (invalid ip)to pass all data to the eth0(valid ip) and meanwhile redirect port 80 to 3128 and from eth0 to the gateway which is my router.
OF course when i ip route eth1 and i nat in AS5300,and use this command
iptables -t nat -A POSTROUTING -o eth1 -j SNAT to <valid ip>
all data packages go through machine without problem but as soon as i redirect it
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
cache box works but most of sites like msn ,gmail,blackfa,etc... do not work

There is still a confusion in your reply. your are saying traffic entering in eth1 and going out of eth0 and you are posting commands opposite to it.

If the architecture is like this
As5300--->Eth0(Linux)Eth1---> Router

Eth0 and As5300 ethernet must use a private ip (as in your case you want )
Eth1 must have a live ip.
and commands must be like this

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
why not the ip of eth1 interface.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

normally if problem comes to sites like gmail,msn then its means there is ssl problem.it means only your port 80 traffic is getting nat using squid and others ports traffic is not getting nat because of your wrong command OR
may be you are using another ip on SNAT rather than the live ip of linux box.

thanks

internet ----> tellabs modem ---->router 1841--->cache--->AS5300-->HDSL modem--->dial up users


Cache server
dial up customers (invalid ip)--> AS5300-->eth1(invalid ip) (cache box) eth0(valid ip)-->router 1841

my router and as 5300 have valid ip .so i hope that i have made the topology clear.i want give ip route to my as5300 to go through cache and there all port 80 redirect to 3128.in addition i want my cache server nat all customers (the work that now my as 5300 doing)

thanks for ur care

do a simple thing.
give your AS5300 ethernet a invalid ip, stop nat on it.
for example

AS5300 ip = 192.168.0.1/24
Linux Eth1 = 192.168.0.2/24
Linux Eth0= any live ip
Router = any live ip

now on As5300
ip route 0.0.0.0 0.0.0.0 192.168.0.2

on linux
enable forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
default gateway = Router
router add default gw "ip of router"
also route your all invalid or valid ips of dialup users with next hop to 192.168.0.1 like if your dialup ip pool is 172.16.0.0/24

route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.0.1


on router , u need just a default route.remove previous added routes.
all traffic will be natted by linux box, router will route back reply to linux box automatically. as they are on same subnet.


thanks

i had tried ip route as u said but in this part i did not understand what u mean if it is possible explain it


" lso route your all invalid or valid ips of dialup users with next hop to 192.168.0.1 like if your dialup ip pool is 172.16.0.0/24

route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.0.1"

if u mean using " ip policy route cache" " set ip next-hop (valid cache ip)
i have tested it

thanks

i had tried ip route as u said but in this part i did not understand what u mean if it is possible explain it


" lso route your all invalid or valid ips of dialup users with next hop to 192.168.0.1 like if your dialup ip pool is 172.16.0.0/24

route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.0.1"

if u mean using " ip policy route cache" " set ip next-hop (valid cache ip)
i have tested it
if it is possible explain these two lines.

thanks

If you want to route incoming traffic from one address to a specific port do you need two rules?

I am trying to do something similar. Should I post a new topic or append my question to this one? Ok since no one responded I will just append it.

***
I want to take all incoming TCP traffic from a specific IP address and route it to a different port. The purpose is to try and open a mysql connection across port 80. I looked up iptables and was wondering if what I have will work.

# iptables -A INPUT -p tcp -s <sourceIP> -sport 80 -dport 3306

based on information in this howto
http://www.linuxguruz.com/iptables/h...s-HOWTO-6.html

its simple how your linux machine will know where your dialup ip pools are located.
if you dont add their route in linux machine and tell it that these are located at As5300,
then reply will be forwarded to default router.your linux machine is acting just like a router.



ip policy route cache is not needed in your scenerio.as u want to pass all traffic from linux machine and nat it.

nope u need

iptables -t nat -A PREROUTING -p tcp -s srcip --dport 80 -j REDIRECT --to-port 3306

and its not routing its nat/redirection

Thanks I will try that. I was looking in the tutorial and I found a good example of it here.

http://iptables-tutorial.frozentux.n...tml#DNATTARGET

In /etc/sysctl.conf i have enabled
net.ipv4.ip forward=1
i add the two lines u mentined in iptables file
but i do not know any thing about ip pools and routing invalid ips of users with next hop
to 192.168.0.1?
if it is possible explain how i can route invalid ips of users with next hop?
i should mention that " ip local pool default 192.168.1.100 192.168.1.200" in my AS5300
and int fast ethernet 0
ip address 192.168.1.11 255.255.255.0 secondary
ip address (valid ip) (valid gw)

in linux box (eth1 )my ip is 192.168.1.3

AS i add that in terminal this appear
[root@localhost ~]# route add -net 192.168.1.100 255.255.255.0 secondary gw 192.168.1.11
Usage: inet_route [-vF] del {-host|-net} Target[/prefix] [gw Gw] [metric M] [[dev] If]
inet_route [-vF] add {-host|-net} Target[/prefix] [gw Gw] [metric M]
[netmask N] [mss Mss] [window W] [irtt I]
[mod] [dyn] [reinstate] [[dev] If]
inet_route [-vF] add {-host|-net} Target[/prefix] [metric M] reject
inet_route [-FC] flush NOT supported






thanks for your attention