senthil wrote:
Amos Jeffries wrote:
senthil wrote:
HI
I have installed Tproxy 4 .
I have done all the prerequisites like compiling kernel and installing
iptables 1.4 etc
When i create Bridge i cant able to browse in private ip
My network :
Internet ---> (eth1)squid machine(eth0)------>test client
eth1 -public ip
eth0 and test client ip ---->private in 172 series
But i able to browse in public ip and access is seen in log of squid
So if I understand you correctly, ... when you attempt to use a
private non-Internet IP address on the public Internet it fails?
Things to know:
* bridging is based around preserving the IP address unchanged across
the machine.
* TPROXY is based around preserving the IP address across the machine.
172 series IP addresses require NAT to contact the Internet.
* NAT is based around destroying the IP address. But maintaining
information such that any response can be copied back to the right
client.
Since you have 172.* addresses coming in one side and being NAT'd I
advise dropping the bridge and tproxy usage. There is no point in
going to extreme lengths to preserve the IP address at such low level
only to destroy it as soon as it exits Squid.
The NAT interception setup for Squid should be sufficient.
Amos
thanks for the reply
But we use public ip also in order to preserve it we need Tproxy.
The router configuration does not support wccp how can i use TproxyMy
network :
Internet ---> (eth1)squid machine(eth0)------>test client
eth1 -public ip
eth0 - test client ip ---->private in 172 series (we also use public IP)
when we enable tproxy and bridge public ip able to browse but not the
private ip
thanks
senthil
Oh. I get you now. Okay this is what you need...
re: Bridging. This is not really needed. You can ignore all that bit if
you want. TPROXY will work in a regular router configuration just as
well as on a bridge (better on some kernels).
re: WCCP. This is not really needed either. It's just one way among many
of getting the packets to the Squid box ethN card. whatever you have now
in place to get the packets through the box will probably be fine.
For the packet capturing from both types of network you need a
combination of NAT and TPROXY configuration.
Like this:
squid.conf:
# NAT receiving port
http_port 3127 intercept
# TPROXY receiving port
http_port 3129 tproxy
# and one for direct proxy access (managment, direct clients, etc)...
http_port 3128
iptables:
# replace $SQUID with the Squid box IP address.
# The NAT bits for 172/8 private IP addressed clients.
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -A PREROUTING -s $SQUID -p tcp --dport 80 -j ACCEPT
# repeat this line for each RFC 1918 private address range you want to
# proxy (replace 172.0.0.0/8 as needed)
iptables -t nat -A PREROUTING -p tcp -s 172.0.0.0/8 --dport 80 -j
DNAT --to-destination $SQUID:3127
# the TPROXY bits for public-IP addressed clients
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# repeat this line for each of your public Internet IP ranges you want
# to proxy (replace 1.0.0.0/8 as needed)
iptables -t mangle -A PREROUTING -p tcp -s 1.0.0.0/8 --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
... and all the routing bits as set already I think, to allow forwarding
of packets.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
Current Beta Squid 3.1.0.16
