Proxy Gateway

dansif · 09-07-2006, 04:22 PM

I am setting up a proxy gateway with multiple proxy ip addresses. I want to have the users packets go out on the same ip they came in on. Right now I have an ip on eth0 and an ip on eth0:0. If a user connects to the ip on eth0:0, the ip shown is the one on eth0.

I am using Mandriva Linux 2005 LE, Squid 2.6.STABLE3, and IPTables 1.2.9.

I've tried using the iptables to change the source ip in the postrouting using marking and matching, but that does't seem to work.

Here is what I've tried.
iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp --dport 8081 -j MARK --set-mark 2

iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source <ip1>
iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source <ip2>

I believe the marking works, but the matching in the nat doesn't. How can I make this work?

acid_kewpie · 09-07-2006, 04:37 PM

what is the point of these two eth0's? what networks are in use? why do you need two?

can we back up and ask why you want to do this in the first place? it looks a lot like you have thought of some ideal end goal and got halfway there by yourself. if we can understand the start and end points ourselves i would expect there is a better way to get the result you are after.

dansif · 09-08-2006, 09:32 AM

I am setting it up to where different departments have different ip addresses, but all data flows through one central proxy server. Therefore, I need multiple eth0's. Each virtual eth0 represents one different ip address that I am using.

If a user's browser uses the ip on eth0, then when they look at their outside ip at whatismyip for example, they should see the ip on eth0. Someone using the ip on eth0:0 should see the ip on eth0:0, not the ip on eth0 (which is what happens).

My biggest problem is that the POSTROUTING chain on the nat table in iptables doesn't recognize any of the policies I designated (such as specifying input/output port or specifying input/output ip).

What can I do to solve this problem?

acid_kewpie · 09-08-2006, 10:18 AM

i'm really not convinced at all... if they have different ip addresses, then that's a perfect thing to base an acl around in squid... your system seems arcane and wide open to abuse.

win32sux · 09-08-2006, 11:23 AM

i agree the setup is kinda weird... i mean, if you'd *really* wanna have the different departments separated, then you'd use a separate (physical) NIC and switch for each department (as well as for the uplink)... using virtual IPs on the same NIC does nothing as far as security is concerned... then again, perhaps security isn't your objective...

now, as far as your proxy daemon itself: users connecting to your virtual interfaces should indeed cause the proxy to start a connection using the box's real IP as the source - as long as you have the interface properly configured and the box's gateway is accessible through it... notice how i said "start a connection", and NOT "forward their connection"...

in other words, with what it sounds like you are trying to do, there's no reason why you'd need to use any special POSTROUTING rules for this (the proxy daemon doesn't do any forwarding/routing)... in fact, you don't even need forwarding enabled in your kernel for this to work...

dansif · 09-08-2006, 01:34 PM

Maybe you aren't understanding the issue.

When a browser connects to ip1 and goes to whatismyip.com, they should see ip1. If the browser connects to ip2 and goes to whatismyip.com, they should see ip2.
IP1 is listed as the main ip (eth0). IP2 is listed as a virtual interface (eth0:0). I want the users to see which proxy ip they are connected through. Right now, if the browser connects to ip2 and goes to whatismyip.com, they will see ip1 (since it is the main ip). I want to know how to fix this.

amitsharma_26 · 09-08-2006, 01:35 PM

Quote:

Originally Posted by win32sux

* - as long as you have the interface properly configured and the box's gateway is accessible through it...

* ..in fact, you don't even need forwarding enabled in your kernel for this to work...

That is absolutely correct. And hence the only thing you got to make sure is that you are having correct routing tables (#route -n) referred to all of your networks.

With best regards,
Amit..

win32sux · 09-08-2006, 01:51 PM

i took al look at the squid.conf file and i found the tcp_outgoing_address tag... sounds like that might work if you could find a tag for the address which the connection came into...

Quote:

# TAG: tcp_outgoing_address
# Allows you to map requests to different outgoing IP addresses
# based on the username or sourceaddress of the user making
# the request.
#
# tcp_outgoing_address ipaddr [[!]aclname] ...
#
# Example where requests from 10.0.0.0/24 will be forwarded
# with source address 10.1.0.1, 10.0.2.0/24 forwarded with
# source address 10.1.0.2 and the rest will be forwarded with
# source address 10.1.0.3.
#
# acl normal_service_net src 10.0.0.0/255.255.255.0
# acl good_service_net src 10.0.1.0/255.255.255.0
# tcp_outgoing_address 10.0.0.1 normal_service_net
# tcp_outgoing_address 10.0.0.2 good_service_net
# tcp_outgoing_address 10.0.0.3
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
#
# Note: The use of this directive using client dependent ACLs is
# incompatible with the use of server side persistent connetions. To
# ensure correct results it is best to set server_persisten_connections
# to off when using this directive in such configurations.
#
#Default:
# none

as you can tell, i think this is something which is best worked-out with squid itself, not iptables/netfilter - but that's just my opinion and i might be mistaken...

acid_kewpie · 09-08-2006, 03:39 PM

it help sto understand a scenario if you actually explain it correctly.... so you wish to nat them to multiple *external* ip addresses, not internal facing ones... certainly clears it up a lot, still has limited merit one would think, unless you are able to use these further on upstream. and if that's all the case, then certainly as above would be a good option.

dansif · 09-08-2006, 04:30 PM

Quote:

Originally Posted by win32sux

i took al look at the squid.conf file and i found the tcp_outgoing_address tag... sounds like that might work if you could find a tag for the address which the connection came into...
as you can tell, i think this is something which is best worked-out with squid itself, not iptables/netfilter - but that's just my opinion and i might be mistaken...

Doesn't work for my application because in the end, I would like to use the ips to where the source destination isn't important. If a user connects to proxy ip1 then they should see proxy ip1. If a user on the same network (same external ip) uses proxy ip2 then they should see proxy ip2. Using squid.conf, it only allows me to say that all users with a certain external ip will see the same proxy ip displayed no matter which proxy ip they are using in their browser. That doesn't work for my purposes.

Changing the routing table to route certain ip addresses to certain interfaces might work. I haven't tried it yet. Any other suggestions are welcome.

win32sux · 09-08-2006, 04:48 PM

Quote:

Originally Posted by dansif

it only allows me to say that all users with a certain external ip will see the same proxy ip displayed no matter which proxy ip they are using in their browser.

i know, which is why i said:

Quote:

might work if you could find a tag for the address which the connection came into

cuz if so, then AFAICT you'd be able to achieve your objective by mixing both tags...

win32sux · 09-08-2006, 06:06 PM

i believe what you want would look kinda like this:

Code:

acl mynet src 192.168.100.0/255.255.255.0
acl real_ip $HELP_PLEASE 192.168.100.1:8080
acl virtual_ip $HELP_PLEASE 192.168.100.2:8081
tcp_outgoing_address 192.168.100.1 mynet real_ip
tcp_outgoing_address 192.168.100.2 mynet virtual_ip

http_port 192.168.100.1:8080
http_port 192.168.100.2:8081

of course, $HELP_PLEASE represents the ACL type which we haven't found yet (which matches against the address/port upon which the connection request was received)...

win32sux · 09-08-2006, 06:20 PM

i think i might have gotten you a tad closer... i quote from squid.conf:

Quote:

# acl aclname myip ip-address/netmask ... (local socket IP address)
# acl aclname myport 3128 ... # (local socket TCP port)

if i understand correctly, then you might be able to do something like this:

Code:

acl mynet src 192.168.100.0/255.255.255.0

acl real_ip myip 192.168.100.1
acl virtual_ip myip 192.168.100.2

acl real_port myport 8080
acl virtual_port myport 8081

tcp_outgoing_address 192.168.100.1 mynet real_ip real_port
tcp_outgoing_address 192.168.100.2 mynet virtual_ip virtual_port

http_port 192.168.100.1:8080
http_port 192.168.100.2:8081

actually, since the real IP gets used as the source by default, i think you might only need to make an ACL for the virtual one, like:

Code:

acl mynet src 192.168.100.0/255.255.255.0

acl virtual_ip myip 192.168.100.2
acl virtual_port myport 8081

tcp_outgoing_address 192.168.100.2 mynet virtual_ip virtual_port

http_port 192.168.100.1:8080
http_port 192.168.100.2:8081

i would also add that it might make it simpler for your users if you use the same ports on both IPs, like:

Code:

acl mynet src 192.168.100.0/255.255.255.0

acl virtual_ip myip 192.168.100.2
acl virtual_port myport 8080

tcp_outgoing_address 192.168.100.2 mynet virtual_ip virtual_port

http_port 192.168.100.1:8080
http_port 192.168.100.2:8080

that way they just change the proxy IP, without having to change the port...

just my

...

dansif · 09-11-2006, 02:31 PM

Quote:

Originally Posted by win32sux

acl mynet src 192.168.100.0/255.255.255.0

acl real_ip myip 192.168.100.1
acl virtual_ip myip 192.168.100.2

acl real_port myport 8080
acl virtual_port myport 8081

tcp_outgoing_address 192.168.100.1 mynet real_ip real_port
tcp_outgoing_address 192.168.100.2 mynet virtual_ip virtual_port

http_port 192.168.100.1:8080
http_port 192.168.100.2:8081

Worked great for me. Thanks a lot. After trying to do this with iptables for so long, it actually works using the squid.conf file instead.

Thanks for all your help.

win32sux · 09-11-2006, 05:43 PM

Quote:

Originally Posted by dansif

Worked great for me. Thanks a lot. After trying to do this with iptables for so long, it actually works using the squid.conf file instead.

Thanks for all your help.

you're welcome... happy to help...

BTW, the reason why your iptables POSTROUTING rules wouldn't work was because the packets wouldn't go through them, since after being taken-in as INPUT (and handed-over to squid), new packets would get generated by squid itself... you probably already know this, but i'm just posting it in case anybody who runs into this thread in the future has any doubts...

Quote:

Originally Posted by dansif

I am setting up a proxy gateway with multiple proxy ip addresses. I want to have the users packets go out on the same ip they came in on. Right now I have an ip on eth0 and an ip on eth0:0. If a user connects to the ip on eth0:0, the ip shown is the one on eth0.

I am using Mandriva Linux 2005 LE, Squid 2.6.STABLE3, and IPTables 1.2.9.

I've tried using the iptables to change the source ip in the postrouting using marking and matching, but that does't seem to work.

Here is what I've tried.
iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp --dport 8081 -j MARK --set-mark 2

iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source <ip1>
iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source <ip2>

I believe the marking works, but the matching in the nat doesn't. How can I make this work?