Search squid archive

Re: TPROXY but without bridging?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hello

Dnia N Marca 30 2008, 01:12, Henrik Nordstrom napisał(a):
> On Fri, 2008-03-28 at 22:04 +0100, admin@xxxxxx wrote:
>> Hello,
>>
>> I'm using Squid Cache: Version 2.6.STABLE18
>>
>> Is there posibility to use it as fully transprent proxy (with tproxy)
>> but
>> without bridging interfaces?
>
> Yes, but you must make sure the proxy sees all HTTP traffic in both
> directions. (both outgoing request, and incoming responses).
>
>> to routers a,b... are connected clients. On that routers I have DNAT
>> --to-destiation squid:80
>
> Don't DNAT on the other routers, instead policy route the connections
> using CONNMARK and ip policy rules..
>
> i.e. something like the following on the client routers:
>
> iptables -t mangle -A PREROUTING -i clientinterface -m state --state NEW
> -p tcp --dport 80 -j CONNMARK --set-mark 1
> iptables -t mangle -A PREROUTING -i clientinterface -j CONNMARK
> --restore-mark
> ip route add table 100 default via ip.of.squid.server
> ip rule add fwmark 1 via lookup 100
>
> And on the upstream router (router 0) similar rules routing incoming
> packets with source port 80 to the proxy server instead of the client...
>
> iptables -t mangle -A PREROUTING -i insideinterface -m state --state NEW
> -p tcp --dport 80 -j CONNMARK --set-mark 1
> iptables -t mangle -A PREROUTING -i outsideinterface -j CONNMARK
> --restore-mark
> ip route add table 100 default via ip.of.squid.server
> ip rule add fwmark 1 via lookup 100
>

Are You sure that router should mark packets on inside interface? and
restore at outside interface?

That configuration isn't work for me. When i connect webserwer for switch
(like Router a,b,c..) in squid logs i see that packets flows by squid.
But traffic from outside my net don't want flow by squid. I suppose that
on Router0 i have error.

I testes both:
iptables -t mangle -A PREROUTING -i insideinterface -m state --state NEW \
 -p tcp --dport 80 -j CONNMARK --set-mark 1
iptables -t mangle -A PREROUTING -i outsideinterface -j CONNMARK \
--restore-mark

and
iptables -t mangle -A PREROUTING -i outsideinterface -m state --state NEW \
 -p tcp --sport 80 -j CONNMARK --set-mark 1
iptables -t mangle -A PREROUTING -i outsideinterface -j CONNMARK \
 --restore-mark


Regards,
-- 
Tomasz
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux