Thanks for the response ....
I have added all the rules in the /etc/iproute2/rt_tables file, which will
do the splittind, that is now done.
You said I should turn off my rp_filter then ? Why ... And where do I do
that ( echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter ) ?
Should I not use my TOS inside the squid conf file or something like :
tcp_outgoing_tos 0x10 all
tcp_outgoing_tos 0x20 adsl
Then make an acl for each user that should use adsl : acl user1 src
10.4.27.100/255.255.255.255
And make a http_access rule : http_access allow user1
And also : tcp_outgoing_address 192.168.1.2 adsl
Out of my head ....
-----Original Message-----
From: Brent Clark [mailto:bclark@eccotours.co.za]
Sent: 24 January 2006 12:12 PM
To: Gert Brits
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] multiple gateways
Gert Brits wrote:
> Hi all
>
> Need some help on the following
>
> The company has two internet lines , so there are two gateways on the
> network.
>
> They have one Linux Fedora 3 firewall, with 3 network cards.
>
> ETH0 = internal
> ETH1 = external ( gateway 1 )
> ETH2 = DSL ( gateway 2 )
>
> I need to split the browsing traffic for some people in the company
>
> I have been given 12 ip address, they must use the DSL link ( ETH2 )
> and the rest must use the EXTERNAL link ( ETH1 )
>
> Please help
Hi
This is not a squid issue, but a routing issue.
Suggest you apply to the LARTC and read the advance routing howto
In the mean time, here is my routing script.
==============================================================
ip route flush table DSL >>/dev/null
ip route show table main | grep -Ev ^default\
| while read ROUTE ; do
ip route add table DSL $ROUTE
done
## Add the ADSL as route to route table DSL
ip route add default via 192.168.10.200 dev eth2 table DSL >>/dev/null
## Add the route to table DSL
ip rule add fwmark 1 table DSL >> /dev/null
=============================================================
Here part of my rule set:
#!/bin/sh -
IPT=/sbin/iptables
# Rules for gateway
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo 0 > /proc/sys/net/ipv4/ip_forward
#Clear \ Flush all the rules from the different chains and tables
$IPT --flush
$IPT --flush INPUT #Flush the INPUT chain
$IPT --flush OUTPUT #Flush the OUTPUT chain
$IPT --flush FORWARD #Flush the FORWARD chain
$IPT -t nat --flush #Flush the nat table
$IPT -t mangle --flush #Flush the mangle table
$IPT --delete-chain #Delete any pre-existing chains
$IPT -t nat --delete-chain #Delete any pre-existing chains from nat
table
$IPT -t mangle --delete-chain #Delete any pre-existing chains from the
mangle table
#Setting the default Policies for the chains
$IPT --policy INPUT DROP #Setting the default policy for INPUT chain
$IPT --policy FORWARD DROP #Setting the default plicy for FORWARD chain
$IPT --policy OUTPUT DROP #Setting the default policy for the OUTPUT
chain
#Setting Nat and mangle to default policy ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT
#Accepting traffic for and to internal interface
$IPT -A INPUT -i lo -j ACCEPT #Allowing unlimited loopback traffic
$IPT -A OUTPUT -o lo -j ACCEPT #Allowing unlimited loopback traffic
# SNAT the Private LAN
$IPT -t nat -A POSTROUTING -o eth0 -s 192.168.111.0/24 -j SNAT --to
$EXTERNALIPFORETH0 $IPT -t nat -A POSTROUTING -o eth2 -s 192.168.111.0/24 -j
SNAT --to $EXTERNALIPFORETH2
$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# TO ALLOW ALL HTTP TRAFFIC OUT ETH2
$IPT -t filter -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state
NEW -j ACCEPT
you need to switch off the rp_filter.
HTH
Kind Regards
Brent Clark
Received on Tue Jan 24 2006 - 03:34:20 MST
This archive was generated by hypermail pre-2.1.9 : Wed Feb 01 2006 - 12:00:01 MST