Re: [SQU] Layer 4 switching and IPChains

From: Ken Kirchner <[email protected]>
Date: Wed, 23 Aug 2000 04:20:09 -0500 (CDT)

On Wed, 23 Aug 2000, Joe Cooper wrote:

> Hi Ken,
>
> Quite simple...Assuming your squid box is doing the port redirect
> internally, and is acting as a gateway, and ip_forward is turned on, you
> can simply put an ACCEPT rule before the REDIRECT rule in your ipchains
> list. If the squid box is not doing the 80 -> 3128 REDIRECT then there
> is no easy way I know of to do this,

I'll have to check, but Im pretty sure our squid's are set up for port 80
in squid.conf (http_port 80). Are you recommending that I instead set my
squid to port 3128 and use IPChains to redirect 80 to 3128? And if so,
why? What is the advantage to this? Either way, would not an ACCEPT rule
work at the beginning of the chain?

 aside from doing it in the L4
> switch (why can't you do it there anyway, they're built for just such
> things?).

Like I said, this stupid switch only allows 1 ACL, and we are using that
one for a porn filter at the moment. At least the darn thing load
balances across our two squids, so thats nice.

Thanks for the reply Joe. I will muse over this some more with your
recommendations.

-Ken

>
> A sanitized example to bypass the cache for 172.16.1.1:
>
> ipchains -I input 1 -s 0/0 -d 172.16.1.1 80 -p tcp -j ACCEPT
> ipchains -A input -s 192.168.1.0/24 -d 0/0 80 -p tcp -j REDIRECT 3128
>
> Seems to work in the cases I've seen.
>
> Ken Kirchner wrote:
> >
> > Hey all,
> >
> > We are using a layer 4 switch to pump all port 80 TCP/IP traffic to two
> > squid servers. This is all warm and fuzzy and working wonderfully.
> >
> > The problem we are having is that we are transparently proxying our
> > customers and this "breaks" a few of their applications. Since there is
> > no "forward" acl operator in squid (only "allow" or "deny"), I am looking
> > for ways to selectively eliminate an IP or group of IP's from squid's
> > proxying. I've just finished reading over squid's documentation and I cant
> > find anything that will work with transparent proxying (The switch only
> > has 1 ACL if you can believe it).
> >
> > What I'm now looking into is a way to add rules to ipchains on the squid
> > boxes. These rules would forward packets from the selected IP's straight
> > to our border router for direct processing and bypass squid all together.
> >
> > Am I mad? Am I insane? Is anyone else doing something like this? Will
> > it even work??
> >
> > The lists will hopefully be very short (and static of course).
>
>
> --
> Joe Cooper <joe@swelltech.com>
> Affordable Web Caching Proxy Appliances
> http://www.swelltech.com
>

-- 
Ken Kirchner                   :  kenk@shreve.net
Assitant System Administrator  :  Tel (318)222-2638
ShreveNet, Inc.                :  Fax (318)213-2650
ShreveNet - Your Premium Internet Service Provider!
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Aug 23 2000 - 03:24:26 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:04 MST