mangle squid packets

mangle squid packets

[marcus]

Hi, I've managed to work a 3 gateway linux router using this mangle rule
to mark local net incoming packets:

iptables -A PREROUTING -t mangle -s 10.0.0.0/8 -d 0/0 -j MARK --set-mark 3

Works, great. But i cant do the same with squid activated, I'm using
transparent proxy:

iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 80 -j REDIRECT
--to-port 3128

I dont know what mangle rule I need to mark squid transparent packets, I
have tried all the following (One at a time):

        iptables -A PREROUTING -t mangle -s 10.0.0.0/8 -d 0/0 -j MARK
--set-mark 3
        iptables -A PREROUTING -t mangle -s 127.0.0.1 -d 0/0  -j MARK
--set-mark 3
        iptables -A PREROUTING -t mangle -p tcp --dport 80 -j MARK
--set-mark 3
        iptables -A PREROUTING -t mangle -p tcp --dport 3128 -j MARK
--set-mark 3

Any ideas??

Thanks.

-- 
<http://www.lanhelp.com.br> 	Atenciosamente,
Marcus Leandro
Suporte / Consultoria
marcus@lanhelp.com.br

Re: mangle squid packets

[Jan Engelhardt]

>I dont know what mangle rule I need to mark squid transparent packets, I
>have tried all the following (One at a time):

Because Squid practically starts a new connection, you need special help 
from squid itself to mark outgoing packets based on incoming ones.

This is done by TPROXY, a netfilter module from Balabit.com.
Unfortunately, they do not have a version for 2.6.11 and up yet.



Jan Engelhardt                                                               
--                                                                            
| Alphagate Systems, http://alphagate.hopto.org/

Re: mangle squid packets

[Askar]

Before marking squid packets you have to define route with "ip"
iproute2 command more info could be find on www.lartc.org , below is
an example of iproute + iptables for your firewall machine.

echo 112 squid.out >> /etc/iproute2/rt_tables
ip rule add fwmark 3 table squid.out
ip route add default via xxx.xxx.xxx.xx dev eth0 table squid.out 
ip route flush cache

# repacle xxx.xxx.xx with squid server ip
#####
here is iptables part

iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 -j MARK --set-mark 3


regards

Askar
hope this would helps


On 7/5/05, Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
> 
> >I dont know what mangle rule I need to mark squid transparent packets, I
> >have tried all the following (One at a time):
> 
> Because Squid practically starts a new connection, you need special help
> from squid itself to mark outgoing packets based on incoming ones.
> 
> This is done by TPROXY, a netfilter module from Balabit.com.
> Unfortunately, they do not have a version for 2.6.11 and up yet.
> 
> 
> 
> Jan Engelhardt
> --
> | Alphagate Systems, http://alphagate.hopto.org/
> 
> 
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: mangle squid packets

[Jan Engelhardt]

>Before marking squid packets you have to define route with "ip"
>iproute2 command more info could be find on www.lartc.org , below is
>an example of iproute + iptables for your firewall machine.

As for my part, I (plan to) go with an ebtables solution, which does not 
involve all the bothering with routing. Of course, you need to need to know 
etherbridges :)