thr3ads.net - LARTC - Direct SQUID Traffic to eth0 [Feb 2004]

If this information is useful, please help other people find it:
Share via:

Marcelo Rosa

2004-Feb-04 14:36 UTC

Direct SQUID Traffic to eth0

Hi,

I have a Linux box in the border of a customer and have the following setup:

Eth0 - ADSL with dinamic IP
Eth1 - Internet conn with 6 IP available
eth2 - Internal net 1
eth3 - internal net 2


This box runs Squid, in transparent mode. I redirect all traffic to internet on
port 80
to port 3128 on the box, when coming from eth2 and eth3.


I need to make all traffic from eth2 and eth3 get to the Internet through eth0
and the
traffic the firewall origintates too.

Only traffic recieved from a single host in eth3 and coming from eth1 should get
out
through eth1.

how can I acomplish this?

====Marcelo de Azevedo Rosa
Consultor/Instrutor em Tecnologias de Rede
Network Technologies Consultant/Instructor -  CCDA/CCNA/CCSI/MCNE
GnuPG (www.gnupg.org) - Key ID: 0xFE26FC98
Key fingerprint = B055 B875 67FB 40A3 FBBF  A1CB 903D DBB0 FE26 FC98
http://signature.coola.com/?marcelorosa2000@yahoo.com.br

______________________________________________________________________

Yahoo! GeoCities: 15MB de espaço grátis para criar seu web site!
http://br.geocities.yahoo.com/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Damion de Soto

2004-Feb-05 05:39 UTC

head link

Re: Direct SQUID Traffic to eth0

Hi Marcelo,> I have a Linux box in the border of a customer and have the following
setup:
> 
> This box runs Squid, in transparent mode. I redirect all traffic to
internet on port 80
> to port 3128 on the box, when coming from eth2 and eth3.
> I need to make all traffic from eth2 and eth3 get to the Internet through
eth0 and the
> traffic the firewall origintates too.
> Only traffic recieved from a single host in eth3 and coming from eth1
should get out
> through eth1.
You should be able to use 2 routing tables.
one with a default gateway via eth1, and the other via eth0
you then use policy routing rules:
like this, i think:

ip route add 0/0 via eth2-gw-IP table 1
ip rule add pref 1000 from eth2-gw-IP lookup 1
ip route add default nexthop via eth2-gw-IP dev eth2
ip route add 0/0 via eth1-gw-IP table 2
ip rule add pref 1001 from eth1-gw-IP lookup 2
ip rule add pref 1002 from eth3-single-IP lookup 2



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer  email:     damion@snapgear.com
SnapGear - A CyberGuard Company ---    ph:         +61 7 3435 2809
  | Custom Embedded Solutions          fax:         +61 7 3891 3630
  | and Security Appliances            web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ---  Free Embedded Linux Distro at   http://www.snapgear.org  ---

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Marcelo Rosa

2004-Feb-05 12:32 UTC

head link

RE: Direct SQUID Traffic to eth0

I Think you´re right, but there´s one problem.

I need to NAT/MASQ the address , it´s getting out in a RFC1918 address. I
have tried marking the packets originated by the router with fwmark, but I
can only do this in the OUTPUT chain, and then I can no longer NAT/MASQ
them.

I tried this: 

$IF1=eth0
$IF2=eth1
$IP1=10.1.1.2
$IP2=XXX.XXX.X.XXX
$P1=10.1.1.1
$P2=XXX.XXX.X.XXX
$P1_NET=10.1.1.0
$P2_NET=XXX.XXX.X.XXX

#Create two tables with the local routes
/sbin/ip route add $P1_NET dev $IF1 src $IP1 table net_hom
/sbin/ip route add $P2_NET dev $IF2 src $IP2 table net_emp

#Create two default routes (one on each table) and choose one to figure in
table main
/sbin/ip route add default via $P1 table net_hom
/sbin/ip route add default via $P2 table net_emp
/sbin/ip route del default
/sbin/ip route add default via $P1

#Create the outgoing routes
/sbin/ip route add $P1_NET dev $IF1 src $IP1
/sbin/ip route add $P2_NET dev $IF2 src $IP2

#Populate the tables with routes
/sbin/ip route show table main | grep -Ev ^default | while read ROUTE ; do \
	/sbin/ip route add table net_emp $ROUTE ; \
	done
/sbin/ip route show table main | grep -Ev ^default | while read ROUTE ; do \
	/sbin/ip route add table net_hom $ROUTE ; \
	done

#Create the rules to direct some of the internal hosts (the ones that shoud
go to eth1) to the correct route
/sbin/ip rule add from 192.168.0.1 table net_emp && \
	/sbin/ip rule add from 192.168.0.2 table net_emp && \
	/sbin/ip rule add from 192.168.0.3 table net_emp && \
	/sbin/ip rule add from 192.168.0.4 table net_emp && \
	/sbin/ip rule add from 192.168.0.5 table net_emp && \
	/sbin/ip rule add from 192.168.0.6 table net_emp && \
	/sbin/ip rule add from 192.168.0.7 table net_emp && \
	/sbin/ip rule add from 192.168.0.8 table net_emp && \
	/sbin/ip rule add from 192.168.0.9 table net_emp && \
	/sbin/ip rule add from 192.168.0.10 table net_emp

#Create the rules to direct traffic from eth1 out to eth1 and from eth0 out
to eth0
/sbin/ip rule add from $IP1 table net_hom && \
	/sbin/ip rule add from $IP2 table net_emp


Questions:

1 - Do you think I´m right? Should this work?
2 - How can I verify if this is working? TCPDUMP?, Is there na /sbin/ip
option to verify this?
3 - Is the sintax correct?

Thanks a lot.

Marcelo de Azevedo Rosa
Consultor/Instrutor em Tecnologias de Rede
Network Technologies Consultant/Instructor -  CCDA/CCNA/MCNE/CCSI
Fone: 55 41 344-1262/41-9154-3696
ICQ: 45543362/MSN: marcelorosa@hotmail.com/Yahoo: marcelorosa2000/AIM:
watcher2110

***-----Original Message-----
***From: lartc-admin@mailman.ds9a.nl 
***[mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Damion de Soto
***Sent: Thursday, February 05, 2004 3:40 AM
***To: Marcelo Rosa
***Cc: lartc@mailman.ds9a.nl
***Subject: Re: [LARTC] Direct SQUID Traffic to eth0
***
:
***
***ip route add 0/0 via eth2-gw-IP table 1
***ip rule add pref 1000 from eth2-gw-IP lookup 1
***ip route add default nexthop via eth2-gw-IP dev eth2
***ip route add 0/0 via eth1-gw-IP table 2
***ip rule add pref 1001 from eth1-gw-IP lookup 2
***ip rule add pref 1002 from eth3-single-IP lookup 2
***
***
***
***-- 
***~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
***Damion de Soto - Software Engineer  email:     damion@snapgear.com
***SnapGear - A CyberGuard Company ---    ph:         +61 7 3435 2809
***  | Custom Embedded Solutions          fax:         +61 7 3891 3630
***  | and Security Appliances            web: http://www.snapgear.com
***~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
***  ---  Free Embedded Linux Distro at   http://www.snapgear.org  ---
***
***_______________________________________________
***LARTC mailing list / LARTC@mailman.ds9a.nl 
***http://mailman.ds9a.nl/mailman/listinfo/lartc ***HOWTO: 
***http://lartc.org/
***


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

LARTC - Feb 2004 - Direct SQUID Traffic to eth0

Direct SQUID Traffic to eth0

Re: Direct SQUID Traffic to eth0

RE: Direct SQUID Traffic to eth0