hey all,

this is the scenario, i have a squid transparent proxy set up thats working rather nicely. Now i have 4 network adapters, 3 of which connect me to the internet. My question is, is it possible to let a particular interface (network card) handle the connection to an address say yahoo.com ?

So, from the user end, they type in "yahoo.com" it goes to the squid proxy, checks the cache, goes to the iptable /route , sees that destination yahoo.com is to go through eth1.

Is that possible?


Thanks.

You know... i'd just written a post that said that that was dumb and pointless and impossible. then i go away and actaully see if it is possible, and lo.. looks like it is to some extent. i'm not a great iptables fan, so i can't provide actual examples, but grepping through the iptables manpage shows that you can use a string match target and then there is the route destination to point it in a certain direction. here's a link to an OLD doc about the string match http://www.securityfocus.com/infocus/1531 and the syntax looks fairly logical, assuming it's still correct. and the route side is here: http://www.netfilter.org/patch-o-mat...om-extra-ROUTE impressive huh?

hmm, thanks alot for your quick response, will check it out

greatly appreciate your help

i will say that neither these modules appear to be part of my default fc5 kernel, but do seem to be in the source headers.

I played around with the netfilter extras (patch-o-matic) but couldnt get it to compile cleanly on my kernel (2.6.16.11), but i dont think the iptables will work because i already have transparent proxy set up that takes all incoming port 80 requests and forwards them to port 3128, if i put a next rule just under that it wont match it since they're gonna mathc the transparent proxy rule.

Now for squid to handle requests, it has to go through a gateway rite, now is there any table that i can manipulate to handle the outgoing connections?

Im thinkin in the direction of ip rule/ip route commands, but not too sure about this.

Any Suggestions?

Thanks.

well it's not squids place to decide how to route. you could set static routes on your system for different destinations, which is what i was originally going to suggest, but be clear of the levels of seperate between a proxy and a router. as for the iptables rules, if you can get the extras working, i don't see an issue, just as long as you match the right traffic, i.e. packets from your local address, i.e.g squid going out to the web with a string match for a yahoo url or whatever. note that the string match would find the url, which would never be changed in a transparent proxy.

Well i did some playing around and got the string matching part to work, but not the ROUTE part
for those of you who want to do this, heres what i did:

i got a source (2.6.16.5) from kernel.org
untared to folder, got a copy of iptables (1.3.5) and
untared that too, got me a copy of patch-o-matic-ng
and untared also. I ran the p-o-m (./runme extras) giving the folders with kernel source and iptables
source and apply the patch i want (ROUTE). Next, i
start a xmenuconfig and compile the kernel making sure
the "string" match option and "ROUTE" option are being
installed as modules. Compilation and install goes
fine, i reboot to the new kernel, and then install the iptables
that was patched earlier, now i test the new commands :

iptables -m string -h

which displays a little help on the string match, just to be sure its installed properly, next i try a command out:

iptables -A PREROUTING -t mangle -m string --algo bm --string "yahoo.com" -j ROUTE --gw 192.168.0.1

now the string matching works because i tried it out with a different -j option
but apparently the ROUTE target is unknown. Can anyone help me set this up
properly?

Thanks.

Ok so i've given up tryin to get the "-j ROUTE" to work, Instead im gonna mark the packets and use the kernel routing table to get the packets to go where i want. The problem that i have with this is that even thought the packets are being marked (I checked using "iptables -t mangle -vnL") it doesnt seem to be going through the correct route. I;ve followed this guide :

http://edseek.com/archives/2006/05/0...out-balancing/

but all traffic goes through the default route and not the marked one.

# ip rule gives:
0: from all lookup local
200: from all fwmark 0x4 lookup 201
32766: from all lookup main
32767: from all lookup default

# ip route show table 201
default via 192.168.77.2 dev eth3

the iptables command i use to mark is:
# iptables -t mangle -A PREROUTING -m string --algo bm --string "yahoo.com" -j MARK --set-mark 0×4

i've also flushed the route cache,....any help? I did some playing around with iptables and found that the packets are being marked, but dont know why they arent matching the routing table.

Thanks.


Edit : Figured out the prob was squid didnt support these marks, so changed PREROUTING chain to OUTPUT and it works fine.
Thanks all.