Re: transparent proxy with LINUX 2.0.29 and CISCO IOS 11.1

From: Brian <[email protected]>
Date: Wed, 11 Mar 1998 09:08:34 -0600 (CST)

On Wed, 11 Mar 1998, Sys Admin/Curtis Hays II wrote:

> Thank you for putting this detailed explanation of what you've put
> together from the emails you rx'd from this group a while back.. I was
> watching them then, but there were too many bits and pieces for me to put
> it together...
>
> One question... If you were to use your linux box as the terminal server
> and use the same ipfwadm commands you show... wouldn't you lose the need
> for the access lists in your router? I am currently using a cheap router
> that does not have NEAR the capabilities of a cisco (It wasn't up to me to
> get it)... we have a small ISP (100+ users) and use the Linux box as the
> terminal server using a multiport serial card.
>
> Am I missing something or would the ipfwadm commands redirect all terminal
> server www traffic to my squid server (same box as terminal server).
>
> Thanks,
> Curtis
>

I believe so. You know a linux box, running ipfwadm and some other
routing software/tools (gated, tcpdump, etc) makes for an excellent
alternative router. You can put serial ports, ethernet ports, all kinds
of cool cards in it, for cheap and have control over complex ACL's and
network monitoring.

> On Tue, 10 Mar 1998, Brian wrote:
>
> >
> >
> > >From signal@shreve.net Mon Feb 9 14:08:28 1998
> > Date: Mon, 9 Feb 1998 14:08:11 -0600 (CST)
> > From: Brian <signal@shreve.net>
> > To: jcostom@jasons.org
> > Subject: Cisco redirection
> >
> > Here is how I have Transparent proxying working for me, in an enviroment
> > where my router is a Cisco 2501 running IOS 11.1, and Squid machine is
> > running Linux 2.0.33.
> >
> > Many thanks to the following individules and the squid-users list for
> > helping me get redirection and transparent proxying working on my
> > Cisco/Linux box.
> >
> > Lincoln Dale
> > Riccardo Vratogna
> > Mark White
> > Henrik Nordstrom
> >
> > First, here is what I added to my Cisco, which is running IOS 11.1. In
> > IOS 11.1 the route-map command is "process switched" as opposed to the
> > faster "fast-switched" route-map which is found in IOS 11.2 and later.
> > You may wish to be running IOS 11.2. I am running 11.1, and have had no
> > problems with my current load of about 150 simultaneous connections to
> > squid.:
> >
> >
> > !
> > interface Ethernet0
> > description To Office Ethernet
> > ip address 208.206.76.1 255.255.255.0
> > no ip directed-broadcast
> > no ip mroute-cache
> > ip policy route-map proxy-redir
> > !
> > access-list 110 deny tcp host 208.206.76.44 any eq www
> > access-list 110 permit tcp any any eq www
> > route-map proxy-redir permit 10
> > match ip address 110
> > set ip next-hop 208.206.76.44
> >
> >
> > So basically from above you can see I added the "route-map" declaration,
> > and an access-list, and then turned the route-map on under int e0 "ip
> > policy route-map proxy-redir"
> >
> > ok, so the Cisco is taken care of at this point. The host above:
> > 208.206.76.44, is the ip number of my squid host.
> >
> > My squid box runs Linux, so I had to do the following on it:
> >
> > my kernel (2.0.33) config looks like this:
> >
> > #
> > # Networking options
> > #
> > CONFIG_FIREWALL=y
> > # CONFIG_NET_ALIAS is not set
> > CONFIG_INET=y
> > CONFIG_IP_FORWARD=y
> > CONFIG_IP_MULTICAST=y
> > CONFIG_SYN_COOKIES=y
> > # CONFIG_RST_COOKIES is not set
> > CONFIG_IP_FIREWALL=y
> > # CONFIG_IP_FIREWALL_VERBOSE is not set
> > CONFIG_IP_MASQUERADE=y
> > # CONFIG_IP_MASQUERADE_IPAUTOFW is not set
> > CONFIG_IP_MASQUERADE_ICMP=y
> > CONFIG_IP_TRANSPARENT_PROXY=y
> > CONFIG_IP_ALWAYS_DEFRAG=y
> > # CONFIG_IP_ACCT is not set
> > CONFIG_IP_ROUTER=y
> >
> > You will need Firewalling and Transparent Proxy turned on at a minimum.
> >
> > Then some ipfwadm stuff:
> >
> > # Accept all on loopback
> > ipfwadm -I -a accept -W lo
> > # Accept my own IP, to prevent loops (repeat for each interface/alias)
> > ipfwadm -I -a accept -P tcp -D 208.206.76.44 80
> > # Send all traffic destinated to port 80 to Squid on port 3128
> > ipfwadm -I -a accept -P tcp -D 0/0 80 -r 3128
> >
> > it accepts packets on port 80 (redirected from the Cisco), and redirects
> > them to 3128 which is the port my squid process is sitting on. I put all
> > this in /etc/rc.d/rc.local
> >
> >
> > and the squid is configured as:
> >
> > http_port 80
> > icp_port 3130
> > httpd_accel virtual 80
> > httpd_accel_with_proxy on
> >
> >
> > I am using v1.1.20 of the squid with the patch at:
> >
> > http://hem.passagen.se/hno/squid/squid-1.1.20.host_and_virtual.patch
> >
> > installed. You will want to install this patch if using a setup similar
> > to mine.
> >
> > This works great. Many thanks again to all of those listed above in
> > helping me.
> >
> >
> > Brian
> >
> >
> > /-------------------------- signal@shreve.net -----------------------------\
> > | Brian Feeny | USR TC Hubs | ShreveNet Inc. (318)222-2638 |
> > | Network Administrator | Perl, Linux | Web hosting, online stores, |
> > | ShreveNet Inc. | USR Pilot | Dial-Up 14.4-56k, ISDN & LANs |
> > | 89 CRX DX w/MPFI, lots of |-=*:Quake:*=-| http://www.shreve.net/ |
> > | mods/Homepage coming soon |LordSignal/SN| Quake server: 208.206.76.47 |
> > \-------------------------- 318-222-2638 x109 -----------------------------/
> >
> >
> >
> >
> >
> >
> > /-------------------------- signal@shreve.net -----------------------------\
> > | Brian Feeny | USR TC Hubs | ShreveNet Inc. (318)222-2638 |
> > | Network Administrator | Perl, Linux | Web hosting, online stores, |
> > | ShreveNet Inc. | USR Pilot | Dial-Up 14.4-56k, ISDN & LANs |
> > | 89 CRX DX w/MPFI, lots of |-=*:Quake:*=-| http://www.shreve.net/ |
> > | mods/Homepage coming soon |LordSignal/SN| Quake server: 208.206.76.47 |
> > \-------------------------- 318-222-2638 x109 -----------------------------/
> >
> >
>

/-------------------------- signal@shreve.net -----------------------------\
| Brian Feeny | USR TC Hubs | ShreveNet Inc. (318)222-2638 |
| Network Administrator | Perl, Linux | Web hosting, online stores, |
| ShreveNet Inc. | USR Pilot | Dial-Up 14.4-56k, ISDN & LANs |
| 89 CRX DX w/MPFI, lots of |-=*:Quake:*=-| http://www.shreve.net/ |
| mods/Homepage coming soon |LordSignal/SN| Quake server: 208.206.76.47 |
\-------------------------- 318-222-2638 x109 -----------------------------/
Received on Wed Mar 11 1998 - 07:09:31 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:15 MST