Dumpolid Exeplish wrote:
Hello All,
I am trying to build a transparent squid server on a Linux 2.6 kernel
using the bridging code (br-nf)
INTERNET_GW <====== BRIDGE/SQUID <======= Client Nat Router
in this setup, the Client Nat router has the entire LAN behind it and
the Client nat router will have its default gateway as the
INTERNT_GW's IP address.
The BRIDGE/SQUID box will have two Ethernet cards, one connecting to
the "client Nat Router" and the other connected to the INTERNET_GW.
The BRIDGE/SQUID box will have one IP address on which Squid will be
listening of connections on.
My aim is to transparently redirect http traffic passing from the
"Client Nat Router" to the squid process configured on the router
without altering the gateway of the Client NAt Router.
Here are some of the ebtables/iptables that i have tried out but at
this point... i am not sure of how proceed
ebtables -t broute -A BROUTING --in-if $BR_IN -p IPv4 --ip-protocol
tcp --ip-dport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING --in-if $BR_IN -p IPv4 --ip-protocol
tcp --ip-dport 21 -j redirect --redirect-target ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $BR_IN -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp –-dport 80 -j REDIRECT
-–to-port $CACHE_PORT
iptables -t nat -A PREROUTING -i br0 -p tcp –-dport 21 -j REDIRECT
-–to-port $CACHE_PORT
iptables -t nat -A PREROUTING -i $BR_IN -p tcp –dport 80 -j REDIRECT
–to-ports $CACHE_PORT
iptables -t nat -A PREROUTING -i $BR_IN -p tcp –dport 21 -j REDIRECT
–to-ports $CACHE_PORT
could anyone out there help me to explain how to progress? is this
even possible at all?
One note before you start. Port 21 - Squid is an FTP client only, it
cannot accept FTP traffic.
For the port 80 traffic its usable on all 2.6+ Squid.
Pic your combo of interception and transport methods:
http://wiki.squid-cache.org/ConfigExamples/Intercept
though it looks like you already need the iptables REDIRECT config.
My own experience with this exact box layout, you should not have to use
a bridge. A relay router is sufficient. Depends on your specs though.
If you do get this going as a bridge, would you mind submitting back the
ebtabels part and any variation in iptables config for the wiki please?
It sounds like that would be a useful one to add.
The core ideas are that:
- the NAT _should_ happen on the squid box or loose client tracking
ability.
- NAT _must_ exclude the squid outbound traffic or cause fatal traffic
loops.
- routers should forward/tunnel traffic unaltered to the squid box for
NAT.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
Current Beta Squid 3.1.0.2
