Okay, so I have an Ubuntu box acting as Router/Gateway for my LAN; with 3 network cards, 2 for WAN and 1 for the local network. It is setup to load balance between the WAN and failover when needed. And oh, I had to add squid into the equation. It is currently setup to nat redirect http/s ports to squid port like so:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3126
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3127
I believe it is working fine… but I don't want to stop there. I would like to try TPROXY, but I cannot seem to make it work. I am getting no traffic in access.log and clients are timing out accessing sites.
Triangle routing is out of the question, and I don't think I should be using bridge? So below is my attempt in doing it:
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j TPROXY --on-ip 0.0.0.0 --on-port 3126 --tproxy-mark 0x1/0x1
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 443 -j TPROXY --on-ip 0.0.0.0 --on-port 3127 --tproxy-mark 0x1/0x1
# this is supposed to mark wan traffic going back to lan?
iptables -t mangle -A PREROUTING -i eth2 -p tcp -d 192.168.1.0/24 -j MARK --set-mark 0x1/0x1
iptables -t mangle -A PREROUTING -i eth3 -p tcp -d 192.168.1.0/24 -j MARK --set-mark 0x1/0x1
ip rule add fwmark 0x1/0x1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
Well, I am not sure if TPROXY is even possible with my setup. If it ain't possible, I'm gonna have to give up for now. But if it is, anybody would know how?
If your network topology uses a squid box sitting the inside the router which passes packets to Squid. Then you will need to explicitly add some additional configuration.
Like what configuration?
Thanks.
Best Answer
I think I got it working - I've used the divert chain in the wiki but explicitly defined the 2 interfaces for the internet connection :)
For those interested, here's my final routing/firewall rule: click here