Re: [squid-users] TPROXY but without bridging? from admin@dont-contact.us on 2008-03-31 (squid-users)

From: <admin@dont-contact.us>
Date: Mon, 31 Mar 2008 15:10:00 +0200 (CEST)

hello

Dnia N Marca 30 2008, 01:12, Henrik Nordstrom napisał(a):
> On Fri, 2008-03-28 at 22:04 +0100, admin@abp.pl wrote:
>> Hello,
>>
>> I'm using Squid Cache: Version 2.6.STABLE18
>>
>> Is there posibility to use it as fully transprent proxy (with tproxy)
>> but
>> without bridging interfaces?
>
> Yes, but you must make sure the proxy sees all HTTP traffic in both
> directions. (both outgoing request, and incoming responses).
>
>> to routers a,b... are connected clients. On that routers I have DNAT
>> --to-destiation squid:80
>
> Don't DNAT on the other routers, instead policy route the connections
> using CONNMARK and ip policy rules..
>
> i.e. something like the following on the client routers:
>
> iptables -t mangle -A PREROUTING -i clientinterface -m state --state NEW
> -p tcp --dport 80 -j CONNMARK --set-mark 1
> iptables -t mangle -A PREROUTING -i clientinterface -j CONNMARK
> --restore-mark
> ip route add table 100 default via ip.of.squid.server
> ip rule add fwmark 1 via lookup 100
>
> And on the upstream router (router 0) similar rules routing incoming
> packets with source port 80 to the proxy server instead of the client...
>
> iptables -t mangle -A PREROUTING -i insideinterface -m state --state NEW
> -p tcp --dport 80 -j CONNMARK --set-mark 1
> iptables -t mangle -A PREROUTING -i outsideinterface -j CONNMARK
> --restore-mark
> ip route add table 100 default via ip.of.squid.server
> ip rule add fwmark 1 via lookup 100
>

Are You sure that router should mark packets on inside interface? and
restore at outside interface?

That configuration isn't work for me. When i connect webserwer for switch
(like Router a,b,c..) in squid logs i see that packets flows by squid.
But traffic from outside my net don't want flow by squid. I suppose that
on Router0 i have error.

I testes both:
iptables -t mangle -A PREROUTING -i insideinterface -m state --state NEW \
-p tcp --dport 80 -j CONNMARK --set-mark 1
iptables -t mangle -A PREROUTING -i outsideinterface -j CONNMARK \
--restore-mark

and
iptables -t mangle -A PREROUTING -i outsideinterface -m state --state NEW \
-p tcp --sport 80 -j CONNMARK --set-mark 1
iptables -t mangle -A PREROUTING -i outsideinterface -j CONNMARK \
--restore-mark

Regards,

-- 
Tomasz

Received on Mon Mar 31 2008 - 07:13:21 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT