Subject: Re: IPFilter and transparent proxy redirection confusion
To: Urban Boquist <>
From: Matthias Scheler <>
List: tech-net
Date: 07/12/2007 13:29:49
On Wed, Jul 11, 2007 at 05:33:18PM +0200, Urban Boquist wrote:
> First attempt to just redirect on GW like before:
>   rdr fxp1 0/0 port 80 -> port 3128 tcp
> seems to work somewhat initially, I see a SYN being redirected at GW
> to, and a SYN-ACK sent back to the original client, but
> then it responds with a RST. I assume it gets confused because the
> reply comes from a different ip?

That's correct. The SYN-ACK is send to the client directly and
therefore not corrected via NAT by the gateway.

> So do I need to rewrite source address too at the GW?

Yes, but I'm not sure whether IPFilter supports with your current
network setup.

> And then it seems that I need some exception for the Squid machine
> itself, to avoid its port 80 requests being redirected to itself?

That's another problem.

> Any hint would be appreciated, I can find millions of pages with
> Google that explains how to do this when Squid is running on
>, but none that explains when it is not... :-(

The best idea I can think of is to put another network card in the
gateway which is uses to talk to the proxy server.

Internet <--fxp0---> gateway <--fxp1--> clients

This would make sure that all packets from the proxy to a client have
to go through NAT on the gateway. And the proxy server wouldn't be
affected by the redirect rule on "fxp1" anymore.

	Kind regards

Matthias Scheler