[COLUG] ipkungfu/squid problems

Wed Mar 5 12:52:25 EST 2008

Unless I misunderstand you, this seems most like what I want to do  
using one interface. I would still like to use two interfaces.

Here is a little more information on my network configuration. I may  
repeat myself here a bit. There is a Cisco router at 192.168.1.1. It  
has a subnet mask of 255.255.255.0. The squid box is at 192.168.1.200.  
It is the gateway for most of the computers. The current squid box is  
working as a transparent proxy. The new server works as a direct  
replacement for the old squid box when the interfaces are on different  
subnets. Could I change the netmask on the router and on eth0 to  
255.255.252.0 and use an address on the 192.168.0.0 network for the IP  
of eth0? Would this disrupt anything?

On Mar 5, 2008, at 12:09 AM, Duane wrote:

>
> For what it's worth I have the following setup where I run 1 system  
> that
> uses Xen in an overkill way for most people, the Dom0 basically does
> nothing other then starting up all the DomU's, it also ignores one
> network card which gets pci forwarded to a DomU, the rest of the  
> DomU's
> share a second network card in a bridge.
>
> One DomU handles a real PCI nic which connects directly to a DSL  
> router
> setup to be a dumb modem, this way none of the LAN clients or wireless
> ones for that matter can bypass the firewall, this system runs PPPoE  
> out
> the first PCI nic, then NATs etc all traffic to a virtual nic  
> connected
> to a virtual nic on the bridge interface.
>
> That DomU also has an iptables rule to redirect any port 80 traffic  
> not
> leaving from another DomU which runs squid, back to the squid DomU.
>
> Because this is effectively 2 unique linux systems, you need to use  
> the
> following rule on the firewall to redirect traffic rather then the  
> rule
> most people promote:
>
> iptables -A PREROUTING -i eth0 -t nat -p tcp -s 192.168.1.0/24 -d !
> 192.168.1.0/24 --dport 80 -j DNAT --to 192.168.1.1:3128
>
> Although I just noticed I've updated my system to be a little smarted
> then when I wrote that wiki entry...
>
> # redirect port 80 traffic via proxy if available, otherwise fail over
> to direct.
> iptables -t mangle -A PREROUTING -i eth1 -s 192.168.1.10 -p tcp -- 
> dport
> 80 -j ACCEPT
> iptables -t mangle -A PREROUTING -i eth1 -d ! 192.168/16 -p tcp -- 
> dport
> 80 -j MARK --set-mark 1
> ip rule add fwmark 1 table 1
> ip route add default table 1 nexthop via 192.168.1.10 dev eth1  
> weight 10
>
> Mind you there is some tricks to dealing with packets hitting the  
> squid
> box from there since it will simply send packets to port 80 to squid,
> but it's not listening on port 80... soooooo you need to do the
> following on the squid box...
>
> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> from memory you need to tweak squid settings a little to cope with  
> this,
> because it doesn't expect packets in that way, but I might be  
> confusing
> things a little. Oh and doing things this way also means that the
> requesting computer thinks it got a connection to/from the real IP it
> was trying to hit and the squid server knows the real IP from which  
> the
> connection was coming from instead of seeing the gateway IP.
>
> For me this was mostly an exercise in seeing if I could, not  
> necessarily
> in what is the most efficient for you setup, but if what other posters
> wrote stating you seem to have a separate firewall + proxy then the
> above is most likely what you need to know rather then what you are
> attempting to do which is effectively put the proxy in the middle of
> everything when that isn't the best way to do things since you only
> really want to be in the middle of port 80 requests.
>
> -- 
>
> Best regards,
> Duane
>
> http://www.freeauth.org - Enterprise Two Factor Authentication
> http://www.nodedb.com - Think globally, network locally
> http://www.sydneywireless.com - Telecommunications Freedom
> http://e164.org - Because e164.arpa is a tax on VoIP
>
> "In the long run the pessimist may be proved right,
>    but the optimist has a better time on the trip."
> _______________________________________________
> colug432 mailing list colug432 at colug.net
> http://www.colug.net/mailman/listinfo/colug432

--
Robert Grimm
(614) 212-4625
http://www.datablitz.net