iptables - packet marking with redirect to squid

Asked

Viewed 717 times

1

I have a firewall with load balancing through packet marking and a squid together.

I am marking the packages so that my two links are used ( gvt and OI )

then the link1 = gvt and the Link2 = OI

It already works in parts, I managed to direct some doors to the Link2 like this:

iptables -t mangle -A PREROUTING -m iprange --src-range 192.168.1.2-192.168.1.199   -i eth2 -p tcp -m multiport --dport 25,80,3128,443,587,5938  -j MARK --set-mark 2

I tested and he left by link 2, minus port 80, this did not leave by link 2. because below this rule I have the rule that redirects to squid so:

iptables -t nat -A PREROUTING -s 192.168.1.0/255.255.255.0  -p tcp --dport 80 -j REDIRECT --to-port 3128

Even marking the packages of port 3128 and the 80 they continue to exit by link 1.

I think that this rule eventually unchecks the package, or something like that, is that someone can help me adjust this rule or add another one to solve it?

linux firewall iptables

1 answer

2


Redirecting port 80 to squid (transparent proxy) means that packets are being intercepted in the firewall and those who effectively do the http requisicao eh o squid itself. Therefore, the mangle rule will not apply in this situation, Jah that it is a rule that applies only to packages GOING through the firewall (i.e. packages coming from the internal network and directed to the internet). What you need is a rule that marks the packages provided by the firewall (i.e. coming from the squid running on the firewall). Something like:

iptables -t mangle -A OUTPUT -p tcp -m tcp ! -d 192.168.0.0/16 --dport 80 -j MARK --set-mark 2

Notice that the "! -d 192.168.0.0/16" is important to prevent squid connections to an INT web server from being redirected (erroneously) to the internet. The above rule will therefore apply only to connections coming from the 80 target port firewall.

  • 1

    Thank you, for the rule and mainly for the explanation, I think I understood a little bit, PREROUTING and POSTROUTING are packages that only pass packets before and after, only pass through the boards without reaching any firewall application and FORWARD and OUTPUT would be coming and going from the applications?

Browser other questions tagged linux firewall iptables

You are not signed in. Login or sign up in order to post.