Re: [squid-users] TPROXY but without bridging?

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Sun, 30 Mar 2008 00:12:35 +0100

On Fri, 2008-03-28 at 22:04 +0100, admin@abp.pl wrote:
> Hello,
>
> I'm using Squid Cache: Version 2.6.STABLE18
>
> Is there posibility to use it as fully transprent proxy (with tproxy) but
> without bridging interfaces?

Yes, but you must make sure the proxy sees all HTTP traffic in both
directions. (both outgoing request, and incoming responses).

> to routers a,b... are connected clients. On that routers I have DNAT
> --to-destiation squid:80

Don't DNAT on the other routers, instead policy route the connections
using CONNMARK and ip policy rules..

i.e. something like the following on the client routers:

iptables -t mangle -A PREROUTING -i clientinterface -m state --state NEW -p tcp --dport 80 -j CONNMARK --set-mark 1
iptables -t mangle -A PREROUTING -i clientinterface -j CONNMARK --restore-mark
ip route add table 100 default via ip.of.squid.server
ip rule add fwmark 1 via lookup 100

And on the upstream router (router 0) similar rules routing incoming
packets with source port 80 to the proxy server instead of the client...

iptables -t mangle -A PREROUTING -i insideinterface -m state --state NEW -p tcp --dport 80 -j CONNMARK --set-mark 1
iptables -t mangle -A PREROUTING -i outsideinterface -j CONNMARK --restore-mark
ip route add table 100 default via ip.of.squid.server
ip rule add fwmark 1 via lookup 100

Regards
Henrik
Received on Sun Mar 30 2008 - 04:37:49 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT