senthil wrote:
> Amos Jeffries wrote:
>> senthil wrote:
>>> HI
>>>
>>> I have installed Tproxy 4 .
>>>
>>> I have done all the prerequisites like compiling kernel and installing
>>> iptables 1.4 etc
>>>
>>> When i create Bridge i cant able to browse in private ip
>>>
>>> My network :
>>>
>>> Internet ---> (eth1)squid machine(eth0)------>test client
>>>
>>> eth1 -public ip
>>>
>>> eth0 and test client ip ---->private in 172 series
>>>
>>> But i able to browse in public ip and access is seen in log of squid
>>
>>
>> So if I understand you correctly, ... when you attempt to use a
>> private non-Internet IP address on the public Internet it fails?
>>
>> Things to know:
>> * bridging is based around preserving the IP address unchanged across
>> the machine.
>>
>> * TPROXY is based around preserving the IP address across the machine.
>>
>>
>> 172 series IP addresses require NAT to contact the Internet.
>>
>> * NAT is based around destroying the IP address. But maintaining
>> information such that any response can be copied back to the right
>> client.
>>
>>
>> Since you have 172.* addresses coming in one side and being NAT'd I
>> advise dropping the bridge and tproxy usage. There is no point in
>> going to extreme lengths to preserve the IP address at such low level
>> only to destroy it as soon as it exits Squid.
>>
>> The NAT interception setup for Squid should be sufficient.
>>
>> Amos
> thanks for the reply
>
> But we use public ip also in order to preserve it we need Tproxy.
>
> The router configuration does not support wccp how can i use TproxyMy
> network :
>
> Internet ---> (eth1)squid machine(eth0)------>test client
>
> eth1 -public ip
>
> eth0 - test client ip ---->private in 172 series (we also use public IP)
>
> when we enable tproxy and bridge public ip able to browse but not the
> private ip
>
> thanks
> senthil
Oh. I get you now. Okay this is what you need...
re: Bridging. This is not really needed. You can ignore all that bit if
you want. TPROXY will work in a regular router configuration just as
well as on a bridge (better on some kernels).
re: WCCP. This is not really needed either. It's just one way among many
of getting the packets to the Squid box ethN card. whatever you have now
in place to get the packets through the box will probably be fine.
For the packet capturing from both types of network you need a
combination of NAT and TPROXY configuration.
Like this:
squid.conf:
# NAT receiving port
http_port 3127 intercept
# TPROXY receiving port
http_port 3129 tproxy
# and one for direct proxy access (managment, direct clients, etc)...
http_port 3128
iptables:
# replace $SQUID with the Squid box IP address.
# The NAT bits for 172/8 private IP addressed clients.
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -A PREROUTING -s $SQUID -p tcp --dport 80 -j ACCEPT
# repeat this line for each RFC 1918 private address range you want to
# proxy (replace 172.0.0.0/8 as needed)
iptables -t nat -A PREROUTING -p tcp -s 172.0.0.0/8 --dport 80 -j
DNAT --to-destination $SQUID:3127
# the TPROXY bits for public-IP addressed clients
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# repeat this line for each of your public Internet IP ranges you want
# to proxy (replace 1.0.0.0/8 as needed)
iptables -t mangle -A PREROUTING -p tcp -s 1.0.0.0/8 --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
... and all the routing bits as set already I think, to allow forwarding
of packets.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23 Current Beta Squid 3.1.0.16Received on Thu Feb 11 2010 - 09:47:38 MST
This archive was generated by hypermail 2.2.0 : Thu Feb 11 2010 - 12:00:04 MST