Gert Brits wrote:
Hi all
Need some help on the following
The company has two internet lines , so there are two gateways on the
network.
They have one Linux Fedora 3 firewall, with 3 network cards.
ETH0 = internal
ETH1 = external ( gateway 1 )
ETH2 = DSL ( gateway 2 )
I need to split the browsing traffic for some people in the company
I have been given 12 ip address, they must use the DSL link ( ETH2 ) and the
rest must use the EXTERNAL link ( ETH1 )
Please help
Hi
This is not a squid issue, but a routing issue.
Suggest you apply to the LARTC and read the advance routing howto
In the mean time, here is my routing script.
==============================================================
ip route flush table DSL >>/dev/null
ip route show table main | grep -Ev ^default\
| while read ROUTE ; do
ip route add table DSL $ROUTE
done
## Add the ADSL as route to route table DSL
ip route add default via 192.168.10.200 dev eth2 table DSL >>/dev/null
## Add the route to table DSL
ip rule add fwmark 1 table DSL >> /dev/null
=============================================================
Here part of my rule set:
#!/bin/sh -
IPT=/sbin/iptables
# Rules for gateway
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo 0 > /proc/sys/net/ipv4/ip_forward
#Clear \ Flush all the rules from the different chains and tables
$IPT --flush
$IPT --flush INPUT #Flush the INPUT chain
$IPT --flush OUTPUT #Flush the OUTPUT chain
$IPT --flush FORWARD #Flush the FORWARD chain
$IPT -t nat --flush #Flush the nat table
$IPT -t mangle --flush #Flush the mangle table
$IPT --delete-chain #Delete any pre-existing chains
$IPT -t nat --delete-chain #Delete any pre-existing chains from nat table
$IPT -t mangle --delete-chain #Delete any pre-existing chains from the mangle table
#Setting the default Policies for the chains
$IPT --policy INPUT DROP #Setting the default policy for INPUT chain
$IPT --policy FORWARD DROP #Setting the default plicy for FORWARD chain
$IPT --policy OUTPUT DROP #Setting the default policy for the OUTPUT chain
#Setting Nat and mangle to default policy ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT
#Accepting traffic for and to internal interface
$IPT -A INPUT -i lo -j ACCEPT #Allowing unlimited loopback traffic
$IPT -A OUTPUT -o lo -j ACCEPT #Allowing unlimited loopback traffic
# SNAT the Private LAN
$IPT -t nat -A POSTROUTING -o eth0 -s 192.168.111.0/24 -j SNAT --to $EXTERNALIPFORETH0
$IPT -t nat -A POSTROUTING -o eth2 -s 192.168.111.0/24 -j SNAT --to $EXTERNALIPFORETH2
$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# TO ALLOW ALL HTTP TRAFFIC OUT ETH2
$IPT -t filter -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state NEW -j ACCEPT
you need to switch off the rp_filter.
HTH
Kind Regards
Brent Clark
