squid i pristup prema internetu i DMZ-u

[ fascinom @ 24.04.2010. 09:41 ] @

Pozdrav,

muči me problem transparentnog proxy servera sa jednim mrežnim adapterom u lokalnom LAN-u (192.168.0.1), jednim u DMZ-u (192.168.10.1) i jednim sa javnom IP adresom. Prosljeđivanje prometa prema internetu radi kako treba, dok prosljeđivanje preka DMZ-u ne.

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
http_port 127.0.0.1:3128 transparent
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl dmz dst 192.168.10.0/24
acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 40 MB
cache_dir ufs /var/squid/cache 200 16 256
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles
acl lan src 192.168.0.0/24
http_access allow localhost
http_access allow dmz lan
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname gw.domena.com
coredump_dir /var/spool/squid
cache_mgr [email protected]

Svaka pomoć ili koristan link je dobrodošao.

Hvala.

[ neur0 @ 24.04.2010. 11:42 ] @

A kako izgleda ruting tabela na tom serveru ?

[ fascinom @ 26.04.2010. 05:46 ] @

Routing tabela je u redu. Promet na ostalim portovima uredno radi. I promet na portu 80 prema internetu radi, osim prema DMZ-u.

Destination Gateway Flags Refs Use Mtu Prio Iface
default 212.62.32.5 UGS 11 2774203 - 8 sis0
127.0.0.1 127.0.0.1 UH 8 60 33200 4 lo0
192.168.10/24 link#3 UC 2 0 - 4 rl1
192.168.0/24 link#2 UC 26 0 - 4 rl0

[ fascinom @ 14.05.2010. 06:23 ] @

Riješenje:

U /etc/hosts file upisati imena i IP adrese strojeva u DMZ-u.

Gateway inače resolva imena putem DNS-a. Nisam otkrio zašto to nije slučaj sa serverima u DMZ-u, ali pošto hosts file pomaže neću dalje istraživati.

Pozdrav.