[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Tproxy 4.1 question....
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2009-07-31 4:09:52
Message-ID: 4A726E90.3000600 () treenet ! co ! nz
[Download RAW message or body]

Stephan Viljoen wrote:
> Hi There,
> 
> I was just wondering whether a Tproxy setup is still possible when running
> Squid and iptables on two different servers? Http traffic will pass through
> the iptables firewall , get marked and then routed to the proxy server which
> if I understand things correctly should forward the request as the customers
> IP address.
> 

No. Such a setup as you describe in fact has _two_ iptables and Squid 
involved.

The nature of TPROXY is that it switches IP-layer details around as they 
enter Squid and allows Squid to send packets using the client IP. Due to 
that first bit, it _cannot_ work on a machine other than the Squid box.

You want the firewall iptables to be doing regular policy-routing of 
packets from client through the Squid box. The Squid box iptables is the 
only place TPROXY occurs.

I would seriously advise using multiple NIC/Ports (2 or 3) on the 
firewall/router for LAN, Internet, Squid.

Unmarked packets in the Internet NIC are always routed to Squid. 
Unmarked packets in the LAN NIC routed to Squid.
With 2 NIC, Squid can TOS mark all packets outgoing, and the firewall 
let them through without routing if it needs to. With 3 NIC the TOS 
marking is not needed and the source NIC can be used to mark and route.

Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
   Current Beta Squid 3.1.0.12
[prev in list] [next in list] [prev in thread] [next in thread]