Search squid archive

Re: Squid and level 4 switch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ming-Ching Tiew disse na ultima mensagem:
> From: "Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx>
>
>>> Can I simulate a level 4 switch behaviour using Linux ? If yes,
>>> any insight to the necessary ebtables/iptables rules ?
>>
>>Linux policy routing is an example of "layer 4".
>
> I am wondering if this setup shall be a reason representation of a
> so-called
> level 4 bridge. This configuration works under both 'tproxy transparent'
> as well as 'transparent' mode for squid 2.6 stable 13.

seeing clearly the high risk of beeing shooten to death ... but

aren't you mixing things here? *layer* 4 and *level* 4 are different
things and policy routing eventually is still another


for policy routing you do not need a level 4 bridge neither a level 4
switch because any OS with any kind of forwarding capable firewall package
can do that and in order to do routing (any) you do not need a bridge
setup at all


Michel



>
> Assuming :-
>
> NETMASK=255.255.192.0
> SQUID_IP=192.168.128.50
> L4_SWITCH_IP=192.168.128.51
> INTERNET_GW=192.168.128.1
>
> 1. On the L4 switch create bridge br0 consisting of 3 ethernet interfaces.
>
>     eth1 is connected to internet
>     eth0 is connected to inside network
>     eth2 is connected to squid
>
>             # ifconfig eth0 0.0.0.0 promisc up
>             # ifconfig eth1 0.0.0.0 promisc up
>             # ifconfig eth2 0.0.0.0 promisc up
>             # brctl addbr br0
>             # brctl addif br0 eth0
>             # brctl addif br0 eth1
>             # brctl addif br0 eth2
>             # ifconfig br0 $L4_SWITCH_IP netmask $NETMASK up
>
> 2. Set up the bridge to mark the packets so that policy routing works :-
>
>    from inside network go to internet destination port 80, mark 1.
>    from internet come back with source port 80, mark 1 as well.
>
>    # ebtables -t broute -A BROUTING -i eth0 -p IPv4 --ip-protocol 6 \
>       --ip-destination-port 80 -j redirect --redirect-target DROP
>    # iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 \
>            -j MARK --set-mark 1
>
>    #ebtables -t broute -A BROUTING -i eth1 -p IPv4 --ip-protocol 6 \
>         --ip-source-port 80 -j redirect --redirect-target DROP
>    # iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 \
>        -j MARK --set-mark 1
>
> 3. Set up additional routing table and ip rule :-
>
>     # echo '100 one' > /etc/iproute2/rt_tables
>     # ip rule add fwmark 1 lookup one
>     # ip route add default via $SQUID_IP table one
>
> ( routing table 'one' need only to have one line, ie the default route,
> local interface routes will interfere with tproxy  )
>
>     # ip route add default via $INTERNET_GW table main
>
> Regards.
>




...




****************************************************
Datacenter Matik http://datacenter.matik.com.br
E-Mail e Data Hosting Service para Profissionais.
****************************************************


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux