LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Transparent Proxy with 2 WAN links (https://www.linuxquestions.org/questions/linux-networking-3/transparent-proxy-with-2-wan-links-787973/)

yorbs8 02-09-2010 05:47 AM
Transparent Proxy with 2 WAN links
 
Hello Everyone,

I'm trying to setup a linux box with 3 NICs (2 WAN links and 1 LAN). All http traffic (port 80) should go to WAN 1 via squid proxy and the rest to WAN 2. I already setup MASQUERADING in iptables and I already configured port 80 to redirect to port 3128 for squid. My default gateway is WAN 2. But the problem is squid uses the default gateway - WAN2. can someone help me setting up the iptables / routing for squid to use WAN 1?

Thanks in advance!

devwatchdog 02-09-2010 08:43 AM
Typically, something like this could be handled with source policy routing, such as where you have traffic coming from specific sources, and tell it to use the non-default gateway WAN interface.

Something like this:

http://lartc.org/howto/lartc.rpdb.ht...TC.RPDB.SIMPLE

That isn't going to work in your circumstance as the squid proxy is running on the same system, therefor you don't have that luxury. The easiest thing would have been to use a separate system for the squid proxy/WAN1 connection. Looks like you're too far into this to go that route, however.

I just compiled and installed squid on a system that has two interfaces that will function in a similar manner as your dual WAN setup. I'll provide a basic config for squid, just enough to get it functioning, then see what I can do about coming up with a solution. I've read through some various advanced routing guides, and haven't found a simple, straightforward solution yet.

devwatchdog 02-09-2010 08:37 PM
I managed to find a solution for you, yorbs8.

I have been futzing around with routes, created custom routing tables, iptables rules, all sorts of things.

But, those aren't the solution.

I ran across something here:

http://www.experts-exchange.com/Soft..._23091996.html

Which discussed load balancing, but the key to that was the 'tcp_outgoing_address' option.

Did a quick search on it to turn up a web page, which after looking at it is nothing more than information quoted from the squid.conf file.

This is the pertinent info:

Code:
#  TAG: tcp_outgoing_address
#      Allows you to map requests to different outgoing IP addresses
#      based on the username or source address of the user making
#      the request.
#
#      tcp_outgoing_address ipaddr [[!]aclname] ...
#
#      Example where requests from 10.0.0.0/24 will be forwarded
#      with source address 10.1.0.1, 10.0.2.0/24 forwarded with
#      source address 10.1.0.2 and the rest will be forwarded with
#      source address 10.1.0.3.
#
#      acl normal_service_net src 10.0.0.0/24
#      acl good_service_net src 10.0.2.0/24
#      tcp_outgoing_address 10.1.0.1 normal_service_net
#      tcp_outgoing_address 10.1.0.2 good_service_net
#      tcp_outgoing_address 10.1.0.3
#
#      Processing proceeds in the order specified, and stops at first fully
#      matching line.
#
#      Note: The use of this directive using client dependent ACLs is
#      incompatible with the use of server side persistent connections. To
#      ensure correct results it is best to set server_persistent_connections
#      to off when using this directive in such configurations.
#
#Default:
# none
tcp_outgoing_address 10.42.159.20
Well, upon further testing, you also will need to add a routing table to more or less associate outbound traffic to WAN 1. If you don't add the following routing configuration, the traffic will still exit the default gateway (WAN 2), the difference being now it will have the IP address of WAN 1.

The rule:

tcp_outgoing_address 10.42.159.20

will have to be added to your squid.conf file, with the proper IP used. Just search for the proper section in the squid.conf file (which is what I'm showing above) and add it there.

To add the routing table, you will have to follow these steps:

You should have an iproute2 package installed on your system. You should have a file:

/etc/iproute2/rt_tables

edit and add something to the effect of:

Code:
#
# reserved values
#
255        local
254        main
253        default
0        unspec
#
# local
#
#1        inr.ruhep
200        T1
You can use whatever you want for the name of the rule, mine being 'T1'. If a table already uses the 200 value, use something else.

Now you will have to add a few routes to that table. This is what I used to set up my system:

Code:
ip rule add from 10.42.159.0/24 table T1
ip route add default via 10.42.159.10 table T1
The 10.42.159.0/24 would be changed to the network definition for WAN 1 on your system. Change 10.42.159.10 to the default route for that interface.

These are not permanent changes to the routing table. You will have to add these configuration settings somewhere in your config scripts.

yorbs8 02-09-2010 10:29 PM
Thanks devwatchdog! I'll try following your solution. Thanks again! :)

devwatchdog 02-11-2010 05:59 AM
Quote:
Originally Posted by yorbs8 (Post 3858554)
Thanks devwatchdog! I'll try following your solution. Thanks again! :)
You're welcome! But I'm wondering if it worked for you. Was this successful?

yorbs8 02-11-2010 11:51 PM
yeah it worked! ;) but I added a few lines of code to mark port 3128 so that it will use WAN1's gateway....

# Forward HTTP port to squid port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.3.1:3128

# Mark SQUID port 3128
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -p tcp --in-interface eth2 --dport 3128 -j MARK --set-mark 1

ip rule add from 192.168.3.0/24 fwmark 1 table web.out
ip route add default via 192.168.1.1 dev eth0 table web.out

Thanks again! :)

lukeshih 02-28-2010 11:56 PM
thanks for this solution

but i got another guestion

if my squid.conf without "tcp_outgoing_address wan1's gateway"

my netowrk interface
eth0 wan1
eht1 wan2
ent2 wan3
eth3 lan 192.168.1.0/24

my iptable T1
wan1 ip dev eth0 scope link
192.168.1.0/24 dev eth3 scope link
default via wan1's dev eth0

iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1

http traffic not follow the iptables
sometime via eth1 or eth2

after squid.conf added "tcp_outgoing_address wan1's gateway"
it worked correctly

why??? what squid do???

the http traffic
192.168.1.x http resquset => iptables(nat) redirect 3128 => iptables (mangle) mark 1
=> route table T1 => internet

why iptables can't not control the traffic

i want creat the tables T2
wna1's gateway dev eth0 scope link
wan2's gateway dev eth1 scope link
wan3's gateway dev eth3 scope link
192.168.1.0/24 dev eth3 scope link
default
nexthop via wna1's gateway dev eth0 weight 1 onlink
nexthop via wna2's gateway dev eth1 weight 1 onlink
nexthop via wna3's gateway dev eth2 weight 1 onlink

how to make squid route follow this table

thanks for any advice!!!

devwatchdog 03-01-2010 07:32 PM
Quote:
Originally Posted by lukeshih (Post 3880629)
thanks for this solution

but i got another guestion
Hello lukeshih!

Could you open up another thread with your question? You'll get more attention that way, and we can work on your problem then.


All times are GMT -5. The time now is 01:14 AM.