> One hint I had was that the traffic are not marked correctly.
>
> This line if added (I got it from somewhere online) will change the mac
address
> of
> the web site to be the one of SQUID:
>
> iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark
2
>
> With that rule:
> 06:13:38.327212 0a:a5:82:f8:2e:93 (VPN's mac)> 0a:3c:e1:08:45:b7 (SQUID's
mac),
> IPv4, length 74: 10.0.0.170.57525 > 157.166.248.10.80 (web site): tcp 0
>
> Without that rule:
> 06:01:59.823267 0a:a5:82:f8:2e:93 (VPN's mac) > 0a:ee:81:f6:13:ef (SQUID's
> mac),
> IPv4, length 66: 10.0.0.170.43154 > 157.166.249.11.80 (web site): tcp 0
>
This diagram explains the flow of PRE/POSTROUTING/OUTPUT/FORWARD:
http://users.ecs.soton.ac.uk/ajf101/kptd.pdf
So OUTPUT rule makes a different because I am testing from a local process
(ie: curl on VPN server).
I then tried from VPN client (inbound traffic) and POSTROUTING makes a
difference here (putting SQUID's mac). Here some notes:
#marking inbound traffic:
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-
mark 2
#marking outbound traffic (ie: locally generated traffic):
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark 2
Anyhow that doesn't explain to me why market traffic is not going to SQUID.
Thanks
Received on Sat Nov 02 2013 - 08:17:32 MDT
This archive was generated by hypermail 2.2.0 : Sat Nov 02 2013 - 12:00:05 MDT