* [LARTC] Direct SQUID Traffic to eth0
@ 2004-02-04 14:36 Marcelo Rosa
2004-02-05 5:39 ` Damion de Soto
2004-02-05 12:32 ` Marcelo Rosa
0 siblings, 2 replies; 3+ messages in thread
From: Marcelo Rosa @ 2004-02-04 14:36 UTC (permalink / raw)
To: lartc
Hi,
I have a Linux box in the border of a customer and have the following setup:
Eth0 - ADSL with dinamic IP
Eth1 - Internet conn with 6 IP available
eth2 - Internal net 1
eth3 - internal net 2
This box runs Squid, in transparent mode. I redirect all traffic to internet on port 80
to port 3128 on the box, when coming from eth2 and eth3.
I need to make all traffic from eth2 and eth3 get to the Internet through eth0 and the
traffic the firewall origintates too.
Only traffic recieved from a single host in eth3 and coming from eth1 should get out
through eth1.
how can I acomplish this?
==Marcelo de Azevedo Rosa
Consultor/Instrutor em Tecnologias de Rede
Network Technologies Consultant/Instructor - CCDA/CCNA/CCSI/MCNE
GnuPG (www.gnupg.org) - Key ID: 0xFE26FC98
Key fingerprint = B055 B875 67FB 40A3 FBBF A1CB 903D DBB0 FE26 FC98
http://signature.coola.com/?marcelorosa2000@yahoo.com.br
______________________________________________________________________
Yahoo! GeoCities: 15MB de espaço grátis para criar seu web site!
http://br.geocities.yahoo.com/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] Direct SQUID Traffic to eth0
2004-02-04 14:36 [LARTC] Direct SQUID Traffic to eth0 Marcelo Rosa
@ 2004-02-05 5:39 ` Damion de Soto
2004-02-05 12:32 ` Marcelo Rosa
1 sibling, 0 replies; 3+ messages in thread
From: Damion de Soto @ 2004-02-05 5:39 UTC (permalink / raw)
To: lartc
Hi Marcelo,
> I have a Linux box in the border of a customer and have the following setup:
>
> This box runs Squid, in transparent mode. I redirect all traffic to internet on port 80
> to port 3128 on the box, when coming from eth2 and eth3.
> I need to make all traffic from eth2 and eth3 get to the Internet through eth0 and the
> traffic the firewall origintates too.
> Only traffic recieved from a single host in eth3 and coming from eth1 should get out
> through eth1.
You should be able to use 2 routing tables.
one with a default gateway via eth1, and the other via eth0
you then use policy routing rules:
like this, i think:
ip route add 0/0 via eth2-gw-IP table 1
ip rule add pref 1000 from eth2-gw-IP lookup 1
ip route add default nexthop via eth2-gw-IP dev eth2
ip route add 0/0 via eth1-gw-IP table 2
ip rule add pref 1001 from eth1-gw-IP lookup 2
ip rule add pref 1002 from eth3-single-IP lookup 2
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer email: damion@snapgear.com
SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809
| Custom Embedded Solutions fax: +61 7 3891 3630
| and Security Appliances web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- Free Embedded Linux Distro at http://www.snapgear.org ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: [LARTC] Direct SQUID Traffic to eth0
2004-02-04 14:36 [LARTC] Direct SQUID Traffic to eth0 Marcelo Rosa
2004-02-05 5:39 ` Damion de Soto
@ 2004-02-05 12:32 ` Marcelo Rosa
1 sibling, 0 replies; 3+ messages in thread
From: Marcelo Rosa @ 2004-02-05 12:32 UTC (permalink / raw)
To: lartc
I Think you´re right, but there´s one problem.
I need to NAT/MASQ the address , it´s getting out in a RFC1918 address. I
have tried marking the packets originated by the router with fwmark, but I
can only do this in the OUTPUT chain, and then I can no longer NAT/MASQ
them.
I tried this:
$IF1=eth0
$IF2=eth1
$IP1\x10.1.1.2
$IP2=XXX.XXX.X.XXX
$P1\x10.1.1.1
$P2=XXX.XXX.X.XXX
$P1_NET\x10.1.1.0
$P2_NET=XXX.XXX.X.XXX
#Create two tables with the local routes
/sbin/ip route add $P1_NET dev $IF1 src $IP1 table net_hom
/sbin/ip route add $P2_NET dev $IF2 src $IP2 table net_emp
#Create two default routes (one on each table) and choose one to figure in
table main
/sbin/ip route add default via $P1 table net_hom
/sbin/ip route add default via $P2 table net_emp
/sbin/ip route del default
/sbin/ip route add default via $P1
#Create the outgoing routes
/sbin/ip route add $P1_NET dev $IF1 src $IP1
/sbin/ip route add $P2_NET dev $IF2 src $IP2
#Populate the tables with routes
/sbin/ip route show table main | grep -Ev ^default | while read ROUTE ; do \
/sbin/ip route add table net_emp $ROUTE ; \
done
/sbin/ip route show table main | grep -Ev ^default | while read ROUTE ; do \
/sbin/ip route add table net_hom $ROUTE ; \
done
#Create the rules to direct some of the internal hosts (the ones that shoud
go to eth1) to the correct route
/sbin/ip rule add from 192.168.0.1 table net_emp && \
/sbin/ip rule add from 192.168.0.2 table net_emp && \
/sbin/ip rule add from 192.168.0.3 table net_emp && \
/sbin/ip rule add from 192.168.0.4 table net_emp && \
/sbin/ip rule add from 192.168.0.5 table net_emp && \
/sbin/ip rule add from 192.168.0.6 table net_emp && \
/sbin/ip rule add from 192.168.0.7 table net_emp && \
/sbin/ip rule add from 192.168.0.8 table net_emp && \
/sbin/ip rule add from 192.168.0.9 table net_emp && \
/sbin/ip rule add from 192.168.0.10 table net_emp
#Create the rules to direct traffic from eth1 out to eth1 and from eth0 out
to eth0
/sbin/ip rule add from $IP1 table net_hom && \
/sbin/ip rule add from $IP2 table net_emp
Questions:
1 - Do you think I´m right? Should this work?
2 - How can I verify if this is working? TCPDUMP?, Is there na /sbin/ip
option to verify this?
3 - Is the sintax correct?
Thanks a lot.
Marcelo de Azevedo Rosa
Consultor/Instrutor em Tecnologias de Rede
Network Technologies Consultant/Instructor - CCDA/CCNA/MCNE/CCSI
Fone: 55 41 344-1262/41-9154-3696
ICQ: 45543362/MSN: marcelorosa@hotmail.com/Yahoo: marcelorosa2000/AIM:
watcher2110
***-----Original Message-----
***From: lartc-admin@mailman.ds9a.nl
***[mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Damion de Soto
***Sent: Thursday, February 05, 2004 3:40 AM
***To: Marcelo Rosa
***Cc: lartc@mailman.ds9a.nl
***Subject: Re: [LARTC] Direct SQUID Traffic to eth0
***
:
***
***ip route add 0/0 via eth2-gw-IP table 1
***ip rule add pref 1000 from eth2-gw-IP lookup 1
***ip route add default nexthop via eth2-gw-IP dev eth2
***ip route add 0/0 via eth1-gw-IP table 2
***ip rule add pref 1001 from eth1-gw-IP lookup 2
***ip rule add pref 1002 from eth3-single-IP lookup 2
***
***
***
***--
***~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
***Damion de Soto - Software Engineer email: damion@snapgear.com
***SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809
*** | Custom Embedded Solutions fax: +61 7 3891 3630
*** | and Security Appliances web: http://www.snapgear.com
***~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** --- Free Embedded Linux Distro at http://www.snapgear.org ---
***
***_______________________________________________
***LARTC mailing list / LARTC@mailman.ds9a.nl
***http://mailman.ds9a.nl/mailman/listinfo/lartc ***HOWTO:
***http://lartc.org/
***
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-02-05 12:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-04 14:36 [LARTC] Direct SQUID Traffic to eth0 Marcelo Rosa
2004-02-05 5:39 ` Damion de Soto
2004-02-05 12:32 ` Marcelo Rosa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.