On 8/07/2016 10:42 a.m., Moataz Elmasry wrote:
> Hi all,
>
> I just had an idea. Refering to the last email.
> The reason why I'm getting those "Header forgery" errors might be because
> of the defined nat rules. I'm using the following rules:
>
> iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport 80
> -j ACCEPT
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
> ${MY_IP}:3128
> iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport
> 443 -j ACCEPT
> iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination
> ${MY_IP}:3129
>
> so, the next thing is I changed the --to-destination lines as follows:
>
> iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 443
> -j REDIRECT --to-port 3129
>
> But no success. Do these nat rules have anything to do with the header
> forgery problem?
Indirectly they do. The existence of NAT is why the security test is
being done. But that is unlikely to be avoidable.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
