On Thu, 2012-01-19 at 14:37 -0300, Sebastian muniz wrote:
> Reading at squid site, looks like NATting outgoing connections to a
> squid running on an other box is not a good idea.
> Questions:
> What is the suggested way to implement this scenario?
> How can I get rid of the loop?
I use this script to transparently proxy on a box that isn't the
firewall using a combination of iptables to set a mark and then iproute
to change the default GW for packets with that mark set.
The idea is that we first of all accept packets from the proxy so they
don't get marked, and then we mark all packets going to port 80 and then
redirect them to the proxy.
On the proxy host you will need to accept and redirect the packets to
the squid port.
iptables -A PREROUTING -d 192.168.1.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
Transproxy script:
#!/bin/sh
cacheserver=192.168.1.2
cacheport=3128
wwwports=80
fwmark=3
routing_table=2
dev=br0
stop()
{
/sbin/ip rule del fwmark $fwmark table $routing_table
/sbin/ip route del table $routing_table
for port in $wwwports; do
/sbin/iptables -t mangle -D PREROUTING -j ACCEPT -p tcp --dport $port -s $cacheserver
/sbin/iptables -t mangle -D PREROUTING -j MARK --set-mark 3 -p tcp --dport $port
done
}
start()
{
/sbin/ip rule add fwmark $fwmark table $routing_table
/sbin/ip route add default via $cacheserver dev $dev table $routing_table
for port in $wwwports; do
/sbin/iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport $port -s $cacheserver
/sbin/iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport $port
done
}
case $1 in
stop)
stop
;;
start)
start
;;
restart)
stop
start
;;
esac
--
Tim Fletcher <tim@xxxxxxxxxxxxxxxxxx>
