RE: [squid-users] Transparent proxy questions.

From: Chris Oxenreider <[email protected]>
Date: Mon, 14 Oct 2002 21:15:34 -0500 (CDT)

Has anyone use any of the Marconi/Fore switches? What feature is this
that lets them use the port-redirect? Can I use the smallest ES-1000
for the task of placing the squid box in the packet path?

> > From: Chris Oxenreider [mailto:oxenreid@state.net]
> > Sent: Sunday, October 13, 2002 3:27 AM
> > To: squid-users@squid-cache.org
> > Subject: [squid-users] Transparent proxy questions.
> >
> >
> >
> > Hi,
> >
> > I am trying to figure out how to do transparent proxying. I
> > have managed
> > to get all of the Squid/SquidGard/Apache items working.
> >
> > |--------| |---------|
> > | Net1 |\ Router1 |---------| Router2 |--->???
> > |--------| \ |-----| | |---------|
> > \---| | |-| |---------|
> > |--------| | | | | |NON Linux|
> > | Net2 |------| |--|X|--|Fire Wall|
> > |--------| | | | | | |
> > /---| | |-| |---------|
> > |--------| / |-----| | | |---------|
> > | Net3 |/ . |---------| Router3 |------->
> > |--------| | |---------| Internet
> > . |--------|
> > |-.-| Proxy |
> > |--------|
> >
> > Figure 1
> >
> > I have managed to get everything working on my Proxy box, and it works
> > fine in my test Newark if I set my client hosts to use the
> > Proxy host as
> > the gateway device (not quite transparet).
> >
> > What I would like to do is to protect web traffic for
> > networks 1, 2, and
> > 3 only. All other protocols should be untouched. By placing
> > the Proxy
> > host as seen in figure 1. From here I get a little confused.
> >
> > In my mind make the transparent proxy functional I need to tell web
> > packets to go to the Proxy. But how?
> >
> > 1) Router based policy redirects (output extended-access-lists?).
> > (This is monstrously hard on the router cpu, and very slow.)
> >
> > 2) Use a layer 4 switch to forward all port 80 packets to the proxy.
> >
> > 3) Have the firewall only accept port 80 packets from the proxy and
> > somehow use promiscuous mode on the proxy to listen only for port
> > 80 connections, grab them and forward them.
> >
> > 4) Set Router1 to have a default route of the ip address of the
> > Proxy and set the Proxy to have a default route of the firewall.
> > With a secondary route marked as very expensive of the
> > firewall it's
> > self so that if the Proxy goes down eventually packets
> > will get out.
> >
> > 5) Insert a second network card in the proxy and turn it in to a
> > bridge as seen in Figure 2 and setup the firewall rules
> > accordingly.
> > Though I have not seen anything on the list so far that
> > looks like a
> > 'how-to' for this.
> >
> > |--------| |---------|
> > | Net1 |\ Router1 |---------| Router2 |--->???
> > |--------| \ |-----| | |---------|
> > \---| | |---------|
> > |--------| | | |NON Linux|
> > | Net2 |------| |--- --|Fire Wall|
> > |--------| | | | | | |
> > /---| | | | |---------|
> > |--------| / |-----| | | | |---------|
> > | Net3 |/ | | |---------| Router3 |------->
> > |--------| | | |---------| Internet
> > eth1 | | eth0
> > |--------|
> > | Proxy |
> > |--------|
> >
> > Figure 2
> >
> > From my observation, the use of a layer 4 switch seems to be the most
> > flexible and fault tollerent, though not the least expensive.
> >
> > I would like to see a 'how-to' on the bridge technique, but that needs
> > to be sure that it's bi-directional and that an ip address
> > for a host on
> > network 1 retains it's unique ip address on the other side of
> > the proxy
> > for protocols other than port 80.
> >
> > The intriguing one is the use of 'default route' in number 4. Almost
> > like a lay 4 switch, but not quite as expensive.
> >
> > Am I barking up the wrong tree? Is this the complicated part? Am I
> > making it more complicated than it needs to be? Comments?
> > Suggestions?
> >
> >
> > my /etc/rc.d/fw.local script looks like this:
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT \
> > --to-port 3128
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > echo 1 > /proc/sys/net/ipv4/ip_dynaddr
> > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> > echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> > echo 0 > /proc/sys/net/ipv4/tcp_timestamps
> > echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> > echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
> > echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> > echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
> > echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> > echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
> > echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
> > echo 0 > /proc/sys/net/ipv4/tcp_sack
> > echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
> >
> >
> >
> > --
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > =-=-=-=-=-=-=
> > Christopher G. Oxenreider | http://www.state.net/~oxenreid
> > oxenreid@state.net | "You only get what you give" --
> > New Radicals
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > =-=-=-=-=-=-=
> >
> >
>

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Christopher G. Oxenreider | http://www.state.net/~oxenreid
oxenreid@state.net        | "You only get what you give"  -- New Radicals
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Received on Mon Oct 14 2002 - 20:15:35 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:41 MST