Stephan Viljoen wrote:
Hi There, I was just wondering whether a Tproxy setup is still possible when running Squid and iptables on two different servers? Http traffic will pass through the iptables firewall , get marked and then routed to the proxy server which if I understand things correctly should forward the request as the customers IP address.
No. Such a setup as you describe in fact has _two_ iptables and Squid involved.
The nature of TPROXY is that it switches IP-layer details around as they enter Squid and allows Squid to send packets using the client IP. Due to that first bit, it _cannot_ work on a machine other than the Squid box.
You want the firewall iptables to be doing regular policy-routing of packets from client through the Squid box. The Squid box iptables is the only place TPROXY occurs.
I would seriously advise using multiple NIC/Ports (2 or 3) on the firewall/router for LAN, Internet, Squid.
Unmarked packets in the Internet NIC are always routed to Squid. Unmarked packets in the LAN NIC routed to Squid. With 2 NIC, Squid can TOS mark all packets outgoing, and the firewall let them through without routing if it needs to. With 3 NIC the TOS marking is not needed and the source NIC can be used to mark and route.
Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 Current Beta Squid 3.1.0.12
