Search squid archive

Re: TPROXY Interception and Multiples ISP Rules (Shorewall) dont work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




On 09/05/2012 03:19, Amos Jeffries wrote:
On 09.05.2012 03:07, Vinicius R. Baenas wrote:
Hello,

I wonder if someone could use the TPROXY with Shorewall and
transparent Squid with using the routing rules on shorewall (tcrules)
for hosts / networks (LAN) with multiples providers (WANs) directly
from the internal network on port 80 (with TPROXY transparent squid or
REDIRECT).
On this issue, the routing rules is not work propertly because the
source is the firewall ($FW) not the hosts or networks (LAN).
My guess is the TPRoxy interception (spoofing) is not working...
Thank you...


REDIRECT uses NAT which erases the IP addresses and would always lead to
the behaviour you describe.

TPROXY would only result in such behaviour if not working. But you don't
say what software versions you have on the box running Squid. TPROXY is
new enough that specific minimum versions are still very important and
bugs exist in uncommon use-cases. wiki.squid-cache.org/Features/Tproxy4
covers the specifics.

Amos

i was curios about it and found out that Shorewall is using iptables mark to loadbalance and direct\route traffic in a multi-wan setup so it's pretty obvious why this accrues for tproxy.
if it uses some prerouting mangle to mark the packets,
then they are remarked for tproxy and the whole multi-wan setup\settings is useless.
that is why it's better used on a routing level while using tproxy.

Eliezer

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il


[Linux Audio Users]     [Photo]     [Yosemite News]     [Samba]     [Video Projectors]     [Video Devices]     [Big List of Linux Books]     [LCD TVs]     [Webcams]     [Linux USB]

  Powered by Linux