LARTC - Jun 2005 - routing between 2 lines problem , after starting squid

i''m using one line on eth2 only for web traffic 
eth1 is my internal line and eth0 is my main line to internet .
i''m marking packets like this 

i have default route on eth0

iptables -t mangle -A PREROUTING  -i eth1 -p tcp --dport 80 -j MARK
--set-mark 66
iptables -t mangle -A PREROUTING  -i eth1 -p tcp --sport 80 -j MARK
--set-mark 66
iptables -t mangle -A PREROUTING  -i eth1 -p tcp --dport 3128 -j MARK
--set-mark 66
iptables -t mangle -A PREROUTING  -i eth1 -p tcp --sport 3128 -j MARK
--set-mark 66

iptables -t mangle -A FORWARD  -p tcp --sport 80 -j MARK --set-mark 66
iptables -t mangle -A FORWARD  -p tcp --dport 80 -j MARK --set-mark 66
iptables -t mangle -A FORWARD  -p tcp --sport  3128 -j MARK --set-mark 66
iptables -t mangle -A FORWARD  -p tcp --dport  3128 -j MARK --set-mark 66


iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -s
192.168.0.0/24 -d ! 192.168.0.0/16 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 3128 -s
192.168.0.0/24 -d ! 192.168.0.0/16 -j MASQUERADE

i have also 
/sbin/ip route add 192.168.0.0/24 dev eth1 table natips
/sbin/ip route add 127.0.0.0/8 dev lo  scope link table natips
/sbin/ip route add default via 217.10.248.1 dev eth2 table natips
/sbin/ip route flush cache
/sbin/ip rule add fwmark 66 table natips


squid is running 
on 192.168.0.1:3128

without squid it''s working i''m using second line for web
traffic
with squid it''s not working 

can anybody help me 

Thanks in advance.

hi stanislav,

i am really busy, but i can comment that i think your problem is coming
from locally generated packets -- squid intercepts your web traffic,
checks it local store, and then recreates the http get and sends it off.
the local routing table is consulted, but i have bad luck in the past
getting it work like you want.


inside the squid.conf:
#       acl normal_service_net src 10.0.0.0/255.255.255.0
#       acl good_service_net src 10.0.1.0/255.255.255.0
#       tcp_outgoing_address 10.0.0.1 normal_service_net
#       tcp_outgoing_address 10.0.0.2 good_service_net
#       tcp_outgoing_address 10.0.0.3

you can see that it is possible to setup an acl and/or select the
outgoing address (and bypass/fool the local routing table). as you are
marking packets, and if you want to be very granular, you should
probably run two instances of squid. each instance needs it own store --
do not use the same cache directory.

you can then send packets to the correct squid instance in PREROUTING
(each instance listens on a different port).


hth

cheers

charles


On Thu, 2005-06-30 at 17:35 +0200, Stanislav Nedelchev
wrote:
> i''m using one line on eth2 only for web traffic 
> eth1 is my internal line and eth0 is my main line to internet .
> i''m marking packets like this 
> 
> i have default route on eth0
> 
> iptables -t mangle -A PREROUTING  -i eth1 -p tcp --dport 80 -j MARK
> --set-mark 66
> iptables -t mangle -A PREROUTING  -i eth1 -p tcp --sport 80 -j MARK
> --set-mark 66
> iptables -t mangle -A PREROUTING  -i eth1 -p tcp --dport 3128 -j MARK
> --set-mark 66
> iptables -t mangle -A PREROUTING  -i eth1 -p tcp --sport 3128 -j MARK
> --set-mark 66
> 
> iptables -t mangle -A FORWARD  -p tcp --sport 80 -j MARK --set-mark 66
> iptables -t mangle -A FORWARD  -p tcp --dport 80 -j MARK --set-mark 66
> iptables -t mangle -A FORWARD  -p tcp --sport  3128 -j MARK --set-mark 66
> iptables -t mangle -A FORWARD  -p tcp --dport  3128 -j MARK --set-mark 66
> 
> 
> iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -s
> 192.168.0.0/24 -d ! 192.168.0.0/16 -j MASQUERADE
> iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 3128 -s
> 192.168.0.0/24 -d ! 192.168.0.0/16 -j MASQUERADE
> 
> i have also 
> /sbin/ip route add 192.168.0.0/24 dev eth1 table natips
> /sbin/ip route add 127.0.0.0/8 dev lo  scope link table natips
> /sbin/ip route add default via 217.10.248.1 dev eth2 table natips
> /sbin/ip route flush cache
> /sbin/ip rule add fwmark 66 table natips
> 
> 
> squid is running 
> on 192.168.0.1:3128
> 
> without squid it''s working i''m using second line for web
traffic
> with squid it''s not working 
> 
> can anybody help me 
> 
> Thanks in advance.
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-- 
"simplified chinese" is not nearly as easy as they would
have you believe ... a superlative oxymoron" --anonymous

It''s Solved

Stanislav Nedelchev wrote:
> i''m using one line on eth2 only for web traffic 
> eth1 is my internal line and eth0 is my main line to internet .
> i''m marking packets like this 
> 
> i have default route on eth0
> 
> iptables -t mangle -A PREROUTING  -i eth1 -p tcp --dport 80 -j MARK
> --set-mark 66
> iptables -t mangle -A PREROUTING  -i eth1 -p tcp --sport 80 -j MARK
> --set-mark 66
> iptables -t mangle -A PREROUTING  -i eth1 -p tcp --dport 3128 -j MARK
> --set-mark 66
> iptables -t mangle -A PREROUTING  -i eth1 -p tcp --sport 3128 -j MARK
> --set-mark 66
> 
> iptables -t mangle -A FORWARD  -p tcp --sport 80 -j MARK --set-mark 66
> iptables -t mangle -A FORWARD  -p tcp --dport 80 -j MARK --set-mark 66
> iptables -t mangle -A FORWARD  -p tcp --sport  3128 -j MARK --set-mark 66
> iptables -t mangle -A FORWARD  -p tcp --dport  3128 -j MARK --set-mark 66
> 
> 
> iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -s
> 192.168.0.0/24 -d ! 192.168.0.0/16 -j MASQUERADE
> iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 3128 -s
> 192.168.0.0/24 -d ! 192.168.0.0/16 -j MASQUERADE
> 
> i have also 
> /sbin/ip route add 192.168.0.0/24 dev eth1 table natips
> /sbin/ip route add 127.0.0.0/8 dev lo  scope link table natips
> /sbin/ip route add default via 217.10.248.1 dev eth2 table natips
> /sbin/ip route flush cache
> /sbin/ip rule add fwmark 66 table natips
> 
> 
> squid is running 
> on 192.168.0.1:3128
> 
> without squid it''s working i''m using second line for web
traffic
> with squid it''s not working 
> 
> can anybody help me 
> 
> Thanks in advance.
>