Works here, but you really SHOULD be using the CONNMARK feature (in
iptables patch-o-matic) for marking the whole TCP connection, not only
the TCP PORT 80 traffic as there may also be ICMP traffic involved for
PMTU and other TCP/IP functions.
Note that in addition to the advanced routing on the firewall you also
need interception rules on the proxy server.
Regards
Henrik
"Kline, Jonathan" wrote:
> iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s x.x.x.13
>
> iptables -t mangle -A PREROUTING -j MARK --set-mark 2 -p tcp --dport 80
> ip rule add fwmark 2 table 2
> ip route add default via x.x.x.13 dev eth2 table 2
>
> The rules load just fine on the firewall, however traffic on port 80
> comes to a halt, i.e the best firewall of all time.
>
> On the squid box, x.x.x.13, we are running squid on port 80, bound to
> x.x.x.13. We are running Squid Cache: Version 2.5.STABLE1 on the squid
> box.
>
> If you sniff the traffic on the firewall, you see the traffic arrive on
> the lan interface, but it never leaves on the dmz interface.
>
> Anyone have any ideas or suggestions?
>
> Thanks,
>
> --
> Jonathan Kline
> Milwaukee School of Engineering
> klinej@msoe.edu
> PGP Key fingerprint = 8923 7266 CC84 6D39 6AEA 2313 4241 7851 068E BD2A
> PGP Key ID = 068EBD2A
Received on Tue Dec 03 2002 - 16:11:17 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:50 MST