LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-09-2010, 05:47 AM   #1
yorbs8
LQ Newbie
 
Registered: Feb 2010
Posts: 4

Rep: Reputation: 0
Transparent Proxy with 2 WAN links


Hello Everyone,

I'm trying to setup a linux box with 3 NICs (2 WAN links and 1 LAN). All http traffic (port 80) should go to WAN 1 via squid proxy and the rest to WAN 2. I already setup MASQUERADING in iptables and I already configured port 80 to redirect to port 3128 for squid. My default gateway is WAN 2. But the problem is squid uses the default gateway - WAN2. can someone help me setting up the iptables / routing for squid to use WAN 1?

Thanks in advance!
 
Old 02-09-2010, 08:43 AM   #2
devwatchdog
Member
 
Registered: Jan 2010
Posts: 198

Rep: Reputation: 44
Typically, something like this could be handled with source policy routing, such as where you have traffic coming from specific sources, and tell it to use the non-default gateway WAN interface.

Something like this:

http://lartc.org/howto/lartc.rpdb.ht...TC.RPDB.SIMPLE

That isn't going to work in your circumstance as the squid proxy is running on the same system, therefor you don't have that luxury. The easiest thing would have been to use a separate system for the squid proxy/WAN1 connection. Looks like you're too far into this to go that route, however.

I just compiled and installed squid on a system that has two interfaces that will function in a similar manner as your dual WAN setup. I'll provide a basic config for squid, just enough to get it functioning, then see what I can do about coming up with a solution. I've read through some various advanced routing guides, and haven't found a simple, straightforward solution yet.
 
Old 02-09-2010, 08:37 PM   #3
devwatchdog
Member
 
Registered: Jan 2010
Posts: 198

Rep: Reputation: 44
I managed to find a solution for you, yorbs8.

I have been futzing around with routes, created custom routing tables, iptables rules, all sorts of things.

But, those aren't the solution.

I ran across something here:

http://www.experts-exchange.com/Soft..._23091996.html

Which discussed load balancing, but the key to that was the 'tcp_outgoing_address' option.

Did a quick search on it to turn up a web page, which after looking at it is nothing more than information quoted from the squid.conf file.

This is the pertinent info:

Code:
#  TAG: tcp_outgoing_address
#       Allows you to map requests to different outgoing IP addresses
#       based on the username or source address of the user making
#       the request.
#
#       tcp_outgoing_address ipaddr [[!]aclname] ...
#
#       Example where requests from 10.0.0.0/24 will be forwarded
#       with source address 10.1.0.1, 10.0.2.0/24 forwarded with
#       source address 10.1.0.2 and the rest will be forwarded with
#       source address 10.1.0.3.
#
#       acl normal_service_net src 10.0.0.0/24
#       acl good_service_net src 10.0.2.0/24
#       tcp_outgoing_address 10.1.0.1 normal_service_net
#       tcp_outgoing_address 10.1.0.2 good_service_net
#       tcp_outgoing_address 10.1.0.3
#
#       Processing proceeds in the order specified, and stops at first fully
#       matching line.
#
#       Note: The use of this directive using client dependent ACLs is
#       incompatible with the use of server side persistent connections. To
#       ensure correct results it is best to set server_persistent_connections
#       to off when using this directive in such configurations.
#
#Default:
# none
tcp_outgoing_address 10.42.159.20
Well, upon further testing, you also will need to add a routing table to more or less associate outbound traffic to WAN 1. If you don't add the following routing configuration, the traffic will still exit the default gateway (WAN 2), the difference being now it will have the IP address of WAN 1.

The rule:

tcp_outgoing_address 10.42.159.20

will have to be added to your squid.conf file, with the proper IP used. Just search for the proper section in the squid.conf file (which is what I'm showing above) and add it there.

To add the routing table, you will have to follow these steps:

You should have an iproute2 package installed on your system. You should have a file:

/etc/iproute2/rt_tables

edit and add something to the effect of:

Code:
#
# reserved values
#
255	local
254	main
253	default
0	unspec
#
# local
#
#1	inr.ruhep
200	T1
You can use whatever you want for the name of the rule, mine being 'T1'. If a table already uses the 200 value, use something else.

Now you will have to add a few routes to that table. This is what I used to set up my system:

Code:
ip rule add from 10.42.159.0/24 table T1
ip route add default via 10.42.159.10 table T1
The 10.42.159.0/24 would be changed to the network definition for WAN 1 on your system. Change 10.42.159.10 to the default route for that interface.

These are not permanent changes to the routing table. You will have to add these configuration settings somewhere in your config scripts.
 
Old 02-09-2010, 10:29 PM   #4
yorbs8
LQ Newbie
 
Registered: Feb 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Thumbs up

Thanks devwatchdog! I'll try following your solution. Thanks again!
 
Old 02-11-2010, 05:59 AM   #5
devwatchdog
Member
 
Registered: Jan 2010
Posts: 198

Rep: Reputation: 44
Quote:
Originally Posted by yorbs8 View Post
Thanks devwatchdog! I'll try following your solution. Thanks again!
You're welcome! But I'm wondering if it worked for you. Was this successful?
 
Old 02-11-2010, 11:51 PM   #6
yorbs8
LQ Newbie
 
Registered: Feb 2010
Posts: 4

Original Poster
Rep: Reputation: 0
yeah it worked! but I added a few lines of code to mark port 3128 so that it will use WAN1's gateway....

# Forward HTTP port to squid port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.3.1:3128

# Mark SQUID port 3128
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -p tcp --in-interface eth2 --dport 3128 -j MARK --set-mark 1

ip rule add from 192.168.3.0/24 fwmark 1 table web.out
ip route add default via 192.168.1.1 dev eth0 table web.out

Thanks again!
 
Old 02-28-2010, 11:56 PM   #7
lukeshih
LQ Newbie
 
Registered: Feb 2010
Posts: 3

Rep: Reputation: 0
thanks for this solution

but i got another guestion

if my squid.conf without "tcp_outgoing_address wan1's gateway"

my netowrk interface
eth0 wan1
eht1 wan2
ent2 wan3
eth3 lan 192.168.1.0/24

my iptable T1
wan1 ip dev eth0 scope link
192.168.1.0/24 dev eth3 scope link
default via wan1's dev eth0

iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1

http traffic not follow the iptables
sometime via eth1 or eth2

after squid.conf added "tcp_outgoing_address wan1's gateway"
it worked correctly

why??? what squid do???

the http traffic
192.168.1.x http resquset => iptables(nat) redirect 3128 => iptables (mangle) mark 1
=> route table T1 => internet

why iptables can't not control the traffic

i want creat the tables T2
wna1's gateway dev eth0 scope link
wan2's gateway dev eth1 scope link
wan3's gateway dev eth3 scope link
192.168.1.0/24 dev eth3 scope link
default
nexthop via wna1's gateway dev eth0 weight 1 onlink
nexthop via wna2's gateway dev eth1 weight 1 onlink
nexthop via wna3's gateway dev eth2 weight 1 onlink

how to make squid route follow this table

thanks for any advice!!!
 
Old 03-01-2010, 07:32 PM   #8
devwatchdog
Member
 
Registered: Jan 2010
Posts: 198

Rep: Reputation: 44
Quote:
Originally Posted by lukeshih View Post
thanks for this solution

but i got another guestion
Hello lukeshih!

Could you open up another thread with your question? You'll get more attention that way, and we can work on your problem then.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Forwarding all traffic to the proxy to another proxy (transparent proxy/redirection) lakshithaww Linux - Networking 1 10-28-2009 12:54 AM
mrtg installation for two wan links sandeep.v.s Linux - Networking 0 10-17-2007 04:07 AM
Multiple WAN links and DNS twistedpair Linux - Networking 1 06-14-2006 03:40 PM
Advanced routing across multiple WAN links ? michaelsanford Linux - Networking 1 06-28-2005 09:23 PM
Using nmap to scan my firewall through WAN proxy slooper Linux - Security 5 12-08-2003 10:41 AM


All times are GMT -5. The time now is 02:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration