[LARTC] Lartc & Squid

[LARTC] Lartc & Squid

[Arindam Haldar]

hi all,

We are using squid 25s1 with kernel 2.4.19 and iproute2(+julian's 
Pathes) with the following acl..

  acl short_path  dst  128.0.0.0/8
  tcp_outgoing_address  myIp2nd  short_path

we are linked to 2 isp--one having satelite & the other OFC. We want the 
above mentioned network to go thru OFC(ispB) as the sibling resides 
there. But when i use squidclient mgr:server_list command i see that rtt 
is still 650ms  which is the time taken by satelite provider(ispA). The 
OFC takes 230ms.

On this linux box we have 2 interface linked to different isp & the 3rd 
serves our local network.. The rules defined are...

50:     from NETB lookup ispB
50:     from ofiNetA lookup ispB
50:     from ofiNetB lookup ispB
75:     from NETA lookup ispA
125:    from ofiNetC lookup BALANCE
125:    from ofiNetD lookup BALANCE
125:    from ofiNetE lookup BALANCE
32766:  from all lookup main
32767:  from all lookup default

the default is defined in default table & is towards ispA & the other 
routes are, ascan be guessed, according to the providers.

My Question is--
what can be done so that squid uses path according to the interface 
defined ?
how can local generated packets(on the linux box) uses a path as wanted 
by us(in the rules) ?

Awaiting a reply/suggestion/experience from you very anxiously..

A.H

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Lartc & Squid

[Vincent Jaussaud]

On Mon, 2002-11-25 at 05:08, Arindam Haldar wrote:
> hi all,
hi,

> 
> We are using squid 25s1 with kernel 2.4.19 and iproute2(+julian's 
> Pathes) with the following acl..
> 
>   acl short_path  dst  128.0.0.0/8
>   tcp_outgoing_address  myIp2nd  short_path
> 
> we are linked to 2 isp--one having satelite & the other OFC. We want the 
> above mentioned network to go thru OFC(ispB) as the sibling resides 
> there. But when i use squidclient mgr:server_list command i see that rtt 
> is still 650ms  which is the time taken by satelite provider(ispA). The 
> OFC takes 230ms.
> 
ip rule add prio 50 to 128.0.0.0/8 lookup ispB
should do the trick.

> My Question is--
> what can be done so that squid uses path according to the interface 
> defined ?
I'm not sure to understand your question. But if you want all packets
sent by squid to use a specific gateway, you need to mark them, and
route them according to this.

Eg,

iptables -t mangle -A OUTPUT -m owner --uid-owner squid_uid -j MARK
--set-mark 1

Then,
ip rule add prio 50 fwmark 1 lookup ispX


> how can local generated packets(on the linux box) uses a path as wanted 
> by us(in the rules) ?
> 
Same answer, mark them.

iptables -t mangle -A OUTPUT -j MARK --set-mark 2

Then, instruct the kernel to route marked packets through a specific ISP

ip rule add prio 50 fwmark 2 lookup ispX

> Awaiting a reply/suggestion/experience from you very anxiously..
Hope this helps.
Cheers,
Vincent.

> 
> A.H
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-- 
Vincent Jaussaud
Kelkoo.com Security Manager 
email: tatooin@kelkoo.com

"The UNIX philosophy is to design small tools that do one thing, and do
it well."

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/