Re: [squid-users] transparently redirect traffic to the Squid with L4-7 switch

Cooper,

This is my iptables scripts in /etc/rc3.d.

/sbin/iptables -F
/sbin/iptables -C
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 8080

currently, squid start 1st prior to the above, does it matter shld iptables
rules be started prior to squid or vice-versa?

Why I suspected is iptables cos' I've 2 similar squid svrs(1 for
transparent, 1 for forward proxy), and the one with iptables(for transparent
proxy) crashed often, hence svr unpingable. Have anyone here face similar
symptoms pls do share with me. thks.

Rgds,

Irwin

>From: Joe Cooper <joe@swelltech.com>
>To: irwin s <irw25@hotmail.com>, squid-users@squid-cache.org
>Subject: Re: [squid-users] transparently redirect traffic to the Squid with
>L4-7 switch
>Date: Thu, 24 Oct 2002 23:37:06 -0500
>
>Because the L4 switch is just routing traffic through your Squid machine.
>The destination on the packets is /still/ the origin server the client is
>trying to reach. If the Squid machine has no redirect rule, the packet
>will simply be routed through.
>
>If iptables doesn't work for you, then you need to fix iptables. Not using
>it isn't an option, if you want Squid to be an interception proxy on Linux
>kernel 2.4.
>
>irwin s wrote:
>>Hi Copper,
>>
>>why is it that a local redirection is needed if my foundry sw is able to
>>redirect port 80 traffic? Is it more to the fact that l4/l7 sw need to be
>>able to do translation from port 80 to port 8080*my squid port)
>>
>>Is it possible for a workard to bypass iptables(as it crashed often, a pt.
>>of failure here, iptables v.1.2.6a)
>>
>>currently:-
>>rtr -> intercept port 80
>>
>>foundry sw -> accept port 80 traffic from rtr and distribute to squid svr
>>port 80
>>
>>svr(RH7.2) -> iptables to do redirection from 80 to squid 8080
>>apache run on port 80
>>squid listen on port 8080
>>iptables to redirect 80 from foundry net to port squid port 8080
>>
>>Many thks.
>>
>>RGds,
>>
>>irwin
>>
>>
>>
>>>From: Joe Cooper <joe@swelltech.com>
>>>To: "Hicks, Rick" <RHicks@stantec.com>
>>>CC: "'squid-users@squid-cache.org'" <squid-users@squid-cache.org>
>>>Subject: Re: [squid-users] transparently redirect traffic to the Squid
>>>with L4-7 switch
>>>Date: Thu, 24 Oct 2002 18:00:57 -0500
>>>
>>>Hicks, Rick wrote:
>>>
>>>>Hi working an Alteon L4-7 webswitch to transparently redirect traffic to
>>>>the
>>>>Squid. We are running Squid on RedHat 7.2. We found examples in the
>>>>docs(http://squid.visolve.com/faq.htm) on how to do this but all the
>>>>examples use ipchains, 7.2 uses iptables. This is what we have done:
>>>>
>>>>httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on
>>>>httpd_accel_uses_host_header on
>>>>
>>>>The part that we can not figure it is how to do this with iptables ? or
>>>>should we even have to do anything since our Alteon is redirecting all
>>>>port
>>>>80 requests to port 3128 on the Squid - it does not seem to work however
>>>>but
>>>>we can see the requests are coming into the Squid box.
>>>>
>>>>ipchains -A input -j REDIRECT 3128 -p tcp -s <Your Network Address> -d
>>>>0.0.0.0/0 80 (do we need to do this at all, with iptables obviously on
>>>>7.2)
>>>
>>>
>>>Yes, you still need local port redirection. The packet redirection at
>>>the L4/L7 can't do it for you--even if you alter it to send to port 3128.
>>>--
>>>Joe Cooper <joe@swelltech.com>
>>>Web caching appliances and support.
>>>http://www.swelltech.com
>>
>>
>>
>>_________________________________________________________________
>>Choose an Internet access plan right for you -- try MSN!
>>http://resourcecenter.msn.com/access/plans/default.asp
>>
>
>
>--
>Joe Cooper <joe@swelltech.com>
>Web caching appliances and support.
>http://www.swelltech.com

_________________________________________________________________
Surf the Web without missing calls! Get MSN Broadband.
http://resourcecenter.msn.com/access/plans/freeactivation.asp
Received on Thu Oct 24 2002 - 22:44:29 MDT