Hi Amos,
You have mentioned that "ip route add default via squid-box dev eth1 table 2"
line #4) route all '3' marked traffic over to squid-box for handling.
As I mentioned I have 2 Interface eth0 which is the internet connection where
in squid is connected and eth1 internet connection wherein all traffic goes out.
To give you clear picture for firewall, eth0 is connected to internal network,
http request will go to squid (squid also also has 2 interfaces eth0 internal
connection and eth1 internet connection) all IP with in the internal network
are all private, so clients connects to squid by private IP and squid has to
connect to the internet directly without connecting to the firewall. Connection
will only fast through the firewall if its a peer to peer, voice and video
connection, and all other connection which does not require proxy. With line
number 4 I am worried that the firewall will forward all traffics to squid.
--------
eth0 |squid |eth1
|-----| |---------|
| -------- |
| |----router ---- internet
| |
| eth0 ---------- eth1 |
|------|firewall |-----
| |
-----------
Please refer to the above diagram, Internal network is connected via eth0 and
both squid and firewall has its on eth1 to connected to internet. as I mention
clients only need to be translated to public IP if there is need to be
translated so firewall will do that and at the same time it will act as a
router. On the other hand if they need a http, firewall just act as a router
(since it is the default gateway for every body) forward the request to squid
and squid will fetch for the site directly without passing though the firewall
after the squid got the page it is only the time it will reply to the request
via firewall (on eth)
So that my worry implemented the 4th rule might forward all the traffics to
squid.
Please enlighten me on this.
regards,
Wennie
----- Original Message -----
From: "Amos Jeffries" <[EMAIL PROTECTED]>
To: "Wennie V. Lagmay" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], squid-users@squid-cache.org
Sent: Friday, April 25, 2008 9:04:59 AM (GMT+0300) Asia/Kuwait
Subject: Re: [squid-users] squid transparent proxy
Wennie V. Lagmay wrote:
> Hi all,
>
> I am reading the procedure for transparent proxy but I am hesitant to
> implement it because I am not sure what will be the impact to my system. Ok I
> am looking at 2 options,
>
Which procedure where?
> option 1:
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
> DNAT --to squid-box:3128
> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j
> SNAT --to iptables-box
> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp
> --dport 3128 -j ACCEPT
>
> option 2:
>
> * iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s
> squid-box
> * iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
> * ip rule add fwmark 3 table 2
> * ip route add default via squid-box dev eth1 table 2
>
> For squid box
> * iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
>
> As I mentioned I have a separate boxes for firewall and squid. My firewall is
> a Fedora core 4 and my squid-2.6-Stable19 is running on Fedora Core 8. My
> Firewall has 2 interfaces eth0=xxx.xxx.184.33/27 which connects to my local
> network and eth1=xxx.xxx.184.18/28 which connects to the internet. the
> firewall also act as the NAT server which actually the gateway of all
> traffics except 80/8080. The firewall and squid communicates via internet
> connection which is the eth0 for firewall
>
>
> In option2 I am worried that If I implement the rule all traffic will be
> forwarded to squid, Also I am not sure what is line #2 and #3. Another thing
> how can I make sure if the following requirements are already ready to my
> system:
>
What it does is:
option 1:
line #1) does the interception. NAT traffic from local network
(exclude squid-box) to port 80 over to the squid-box
line #3) just allows packets to flow through the iptables-box from
local-network to squid-box.
line #2) some NAT magic to make squid send responses to the above
NAT'd packets requests go back through the iptables-box so that it can
un-NAT them back into the original local-network client.
NP: I think its missing a MASQUERADE to do all the magic un-NAT'ing when
it needs to. That may already be in your POSTROUTING rules. It should be
after these new ones.
option 2:
line #1) allows traffic out of the squid box to go anywhere.
line #2) sets a flag/mark '3' on the rest of the port-80 traffic as
it comes into iptables-box
line #3) updates the routing table rules so they can identify the new
'3' marked packets
line #4) route all '3' marked traffic over to squid-box for handling.
> * P: advanced router
> * IP: policy routing
> * IP: use netfilter MARK value as routing key
> * IP: Netfilter Configuration -> Packet mangling
> * IP: Netfilter Configuration -> MARK target support
> and iproute2 tools.
>
>
> Can you please help me, which options is best for me and how can I do it
> smoothly. If you need more information about my setup or if you want see any
> of my configuration please let me know
Those requirements are met by having recent releases of the 'iptables'
and 'iproute2' binaries on your system. See their documentation on how
to lookup specific targets.
Option-2 is considered the better by most people, since its essentially
simpler and easier to debug if anything goes wrong. NAT is limited to
IPv4 traffic and will hopefully be dead in 1-4 years anyway.
The 'smoothest' approach would be to perform the integration in reverse,
starting with the squid config. Moving on to the squid-box iptables
config. Then the iptables-box.
If you have a lot of machines behind that /27 you can start by marking
only a small segment of the network machines for interception. Fix any
problems encountered. Then expanding the interception area. Repeating
until its all done.
Amos
> Thank you very,
>
> Wennie
>
> ----- Original Message -----
> From: "Wennie V. Lagmay" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Sent: Thursday, April 3, 2008 2:36:42 PM (GMT+0300) Asia/Kuwait
> Subject: Fwd: [squid-users] squid transparent proxy
>
>
> ----- Forwarded Message -----
> From: "Indunil Jayasooriya" <[EMAIL PROTECTED]>
> To: "Wennie V. Lagmay" <[EMAIL PROTECTED]>
> Cc: "squid-users" <squid-users@squid-cache.org>
> Sent: Thursday, April 3, 2008 12:58:27 PM (GMT+0300) Asia/Kuwait
> Subject: Re: [squid-users] squid transparent proxy
>
>> You are right I am using port 8080. As I mentioned I have 2 machine the 1st
>> machine is my Firewall/NAT server wherein the iptables configuration already
>> stated that it should redirect port 80 to 8080
>
> Oh , Squid is Not running on this box. then, REDIRECT will not work.
> What Your firewall can do is MARK port 80 traffic and route it via
> squid box. that is Known As Transparent Proxy to a Remote Box
>
> you need both iptables and ip route2 pkgs.
>
> Okay, below are the rules, you need to add.
>
>
> On your firewall, pls add below rules
>
> iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s
> ipaddressofsquid-box
> iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
> ip rule add fwmark 3 table 2
> ip route add default via ipaddressofsquid-box dev eth1 table 2
>
> dev eth1 is connected to squidbox. pls change it accodingly.
>
> On your squid Box, Pls add beow rules.
>
> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
>
> this is where REDIRECT takes place.
>
> In addition to that, you will have to make sure, port 8080 is open on
> this squid box , since squid is running on port 8080.
>
> I thinkeverything is open on squid box.
>
>
> Now, clients gateway is the ip of the firewall/NAT box. and also check
> Dns in clients.
>
> here's another useful urls
>
> http://www.mail-archive.com/squid-users@squid-cache.org/msg53662.html
>
> http://tldp.org/HOWTO/TransparentProxy-6.html
>
> Good luck
>
>
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
