Re: TCP Outgoing Address ACL Problem

Garri Djavadyan <garryd@xxxxxxxxx> · Fri, 11 Nov 2016 23:44:28 +0500

On 2016-11-11 22:28, Antony Stone wrote:
On Friday 11 November 2016 at 17:51:04, 
jarrett+squid-users@xxxxxxxxxxxxxxxxx
wrote:

I'm trying to use ACLs to direct incoming traffic on assigned ports to
assigned outgoing addresses.  But, squid uses the first IP address
assigned to the interface not listed in the config instead.

See http://lists.squid-cache.org/pipermail/squid-users/2016-
October/013270.html

Specifically "IP addressing on the outgoing connections is an operating 
system
choice.  Squid does not have any direct control over outgoing 
connections
besides their destination IP:port."

Hi,

The following configuration works for me on Linux.

1. I set second /32 IP address for Internet facing interface.
# ip addr show wlp3s0 | fgrep 'inet '
    inet 192.168.2.102/24 brd 192.168.2.255 scope global dynamic wlp3s0
    inet 192.168.2.108/32 scope global wlp3s0


2. I added second http_port, ACL for the second http_port and the rule 
to use second IP address if connection is for second http_port.
# diff -u etc/squid.conf.default etc/squid.conf

--- etc/squid.conf.default	2016-10-28 15:54:53.851704360 +0500
+++ etc/squid.conf	2016-11-11 23:18:48.654385840 +0500
@@ -23,6 +23,7 @@
 acl Safe_ports port 591		# filemaker
 acl Safe_ports port 777		# multiling http
 acl CONNECT method CONNECT
+acl port3129 localport 3129

 #
 # Recommended minimum Access Permission configuration:
@@ -57,6 +58,7 @@

 # Squid normally listens to port 3128
 http_port 3128
+http_port 3129

 # Uncomment and adjust the following to add a disk cache directory.
 #cache_dir ufs /usr/local/squid35/var/cache/squid 100 16 256
@@ -71,3 +73,4 @@
 refresh_pattern ^gopher:	1440	0%	1440
 refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
 refresh_pattern .		0	20%	4320
+tcp_outgoing_address 192.168.2.108 port3129


3. I initiated two requests on different http ports:
$ curl -x http://127.0.0.1:3128 -H 'Cache-Control: no-cache' 
http://mirror.comnet.uz/centos/2/readme.txt > /dev/null
$ curl -x http://127.0.0.1:3129 -H 'Cache-Control: no-cache' 
http://mirror.comnet.uz/centos/2/readme.txt > /dev/null


4. Using tcpdump I confirmed that the rule is working.
# tcpdump -i wlp3s0 dst host mirror.comnet.uz
...
23:42:02.230713 IP 192.168.2.102.40506 > mirror.comnet.uz.http: Flags 
[P.], seq 0:218, ack 1, win 229, options [nop,nop,TS val 845937144 ecr 
1281004287], length 218: HTTP: GET /centos/2/readme.txt HTTP/1.1
...
23:42:15.166311 IP 192.168.2.108.48575 > mirror.comnet.uz.http: Flags 
[P.], seq 0:218, ack 1, win 229, options [nop,nop,TS val 845950080 ecr 
1281016928], length 218: HTTP: GET /centos/2/readme.txt HTTP/1.1
...


Thanks for attention!

Garri
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users







