[COLUG] ipkungfu/squid problems
Duane
duane at e164.org
Wed Mar 5 00:09:32 EST 2008
For what it's worth I have the following setup where I run 1 system that
uses Xen in an overkill way for most people, the Dom0 basically does
nothing other then starting up all the DomU's, it also ignores one
network card which gets pci forwarded to a DomU, the rest of the DomU's
share a second network card in a bridge.
One DomU handles a real PCI nic which connects directly to a DSL router
setup to be a dumb modem, this way none of the LAN clients or wireless
ones for that matter can bypass the firewall, this system runs PPPoE out
the first PCI nic, then NATs etc all traffic to a virtual nic connected
to a virtual nic on the bridge interface.
That DomU also has an iptables rule to redirect any port 80 traffic not
leaving from another DomU which runs squid, back to the squid DomU.
Because this is effectively 2 unique linux systems, you need to use the
following rule on the firewall to redirect traffic rather then the rule
most people promote:
iptables -A PREROUTING -i eth0 -t nat -p tcp -s 192.168.1.0/24 -d !
192.168.1.0/24 --dport 80 -j DNAT --to 192.168.1.1:3128
Although I just noticed I've updated my system to be a little smarted
then when I wrote that wiki entry...
# redirect port 80 traffic via proxy if available, otherwise fail over
to direct.
iptables -t mangle -A PREROUTING -i eth1 -s 192.168.1.10 -p tcp --dport
80 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -d ! 192.168/16 -p tcp --dport
80 -j MARK --set-mark 1
ip rule add fwmark 1 table 1
ip route add default table 1 nexthop via 192.168.1.10 dev eth1 weight 10
Mind you there is some tricks to dealing with packets hitting the squid
box from there since it will simply send packets to port 80 to squid,
but it's not listening on port 80... soooooo you need to do the
following on the squid box...
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
from memory you need to tweak squid settings a little to cope with this,
because it doesn't expect packets in that way, but I might be confusing
things a little. Oh and doing things this way also means that the
requesting computer thinks it got a connection to/from the real IP it
was trying to hit and the squid server knows the real IP from which the
connection was coming from instead of seeing the gateway IP.
For me this was mostly an exercise in seeing if I could, not necessarily
in what is the most efficient for you setup, but if what other posters
wrote stating you seem to have a separate firewall + proxy then the
above is most likely what you need to know rather then what you are
attempting to do which is effectively put the proxy in the middle of
everything when that isn't the best way to do things since you only
really want to be in the middle of port 80 requests.
--
Best regards,
Duane
http://www.freeauth.org - Enterprise Two Factor Authentication
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
More information about the colug432
mailing list