martin f krafft wrote: > also sprach David Mandelberg <mandelbergd@eth0.is-a-geek.org> [2005.03.25.1730 +0100]: > >>>This works. Problem is that the packets arriving at 3128 have the >>>dynamic external IP as source, when they should have 127.0.0.1. >> >>Is there a problem with that? > > > Yes. As stated multiple times: it breaks squid access control. What about allowing all connections with squid's acls and using iptables to limit it to localhost? i.e.: iptables -A OUTPUT -d 127.0.0.1 -o world -p tcp --dport 3128 -m state --state \ NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -d 127.0.0.1 -i world -p tcp --dport 3128 -m state --state \ NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -s 127.0.0.1 -i world -p tcp --sport 3128 -m state --state \ ESTABLISHED -j ACCEPT iptables -A OUTPUT -s 127.0.0.1 -o world -p tcp --sport 3128 -m state --state \ ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 3128 -j $DROP_OR_REJECT iptables -A OUTPUT -p tcp --sport 3128 -j $DROP_OR_REJECT Note: this is untested. Another (untested and possibly not possible) way would be to allow all w/ the acls but bind only to 127.0.0.1:3128 instead of *:3128. Btw, why is POSTROUTING too late to use SNAT? As long as you use nat in both directions so as not to confuse the client(s) it should work. Another rule you should add if you get SNAT working but the clients don't work is: # use NAT on traffic coming back from squid so as not to confuse clients iptables -A POSTROUTING -o lo -i lo -p tcp --sport 3128 -j MASQUERADE I hope some of this helps.
Attachment:
signature.asc
Description: OpenPGP digital signature