I have a unique situation where I have a multi-homed
machine running squid where I will need to do some
kind of load balancing for outbound squid traffic.
Well, if both the outgoing interface are nat-ed, things will
be relatively easier, I will just do transparent proxy
(without tproxy ). Since the identity of the original http
requests are lost anyway, tproxy will be redundant.
However, in a situation where one of the outgoing legs is
NOT NAT-ed, while another leg is NAT-ed, this is where
I am in trouble.
When the outgoing interface is not NAT-ed, I would like
to be able to do tproxy, retaining the identity of the
original http requests. However, when I use the squid
redirective,
http_port 3128 tproxy transparent
The un-NAT-ed leg will work just fine but I noticed that for the
NAT-ed leg, the outgoing traffic gets out to the internet
using the source IP of the original http request DESPITE that
there is a SNAT on the nat POSTROUTING chain. As you can
imagine, this will cause return traffic unable to come back to the
machine.
Wonder if it is the limitation of the tproxy kernel patch,
or it's just the way I did (wrong) which causes the behaviour.
Appreciate your inputs.
--------------------------------------------
Important Warning!
***************************
This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it.
Received on Mon Oct 22 2007 - 19:23:01 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT