FW: [squid-users] multiple gateways

Thanks for the response ....

I have added all the rules in the /etc/iproute2/rt_tables file, which will
do the splittind, that is now done.

You said I should turn off my rp_filter then ? Why ... And where do I do
that ( echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter ) ?

Should I not use my TOS inside the squid conf file or something like :

tcp_outgoing_tos 0x10 all
tcp_outgoing_tos 0x20 adsl

Then make an acl for each user that should use adsl : acl user1 src
10.4.27.100/255.255.255.255

And make a http_access rule : http_access allow user1

And also : tcp_outgoing_address 192.168.1.2 adsl

Out of my head ....

-----Original Message-----
From: Brent Clark [mailto:bclark@eccotours.co.za]
Sent: 24 January 2006 12:12 PM
To: Gert Brits
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] multiple gateways

Gert Brits wrote:
> Hi all
>
> Need some help on the following
>
> The company has two internet lines , so there are two gateways on the
> network.
>
> They have one Linux Fedora 3 firewall, with 3 network cards.
>
> ETH0 = internal
> ETH1 = external ( gateway 1 )
> ETH2 = DSL ( gateway 2 )
>
> I need to split the browsing traffic for some people in the company
>
> I have been given 12 ip address, they must use the DSL link ( ETH2 )
> and the rest must use the EXTERNAL link ( ETH1 )
>
> Please help

Hi

This is not a squid issue, but a routing issue.

Suggest you apply to the LARTC and read the advance routing howto

In the mean time, here is my routing script.
==============================================================

ip route flush table DSL >>/dev/null
ip route show table main | grep -Ev ^default\
   | while read ROUTE ; do
     ip route add table DSL $ROUTE
  done

## Add the ADSL as route to route table DSL

ip route add default via 192.168.10.200 dev eth2 table DSL >>/dev/null

## Add the route to table DSL

ip rule add fwmark 1 table DSL >> /dev/null
=============================================================

Here part of my rule set:
#!/bin/sh -

IPT=/sbin/iptables

# Rules for gateway

echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo 0 > /proc/sys/net/ipv4/ip_forward

#Clear \ Flush all the rules from the different chains and tables

$IPT --flush
$IPT --flush INPUT #Flush the INPUT chain
$IPT --flush OUTPUT #Flush the OUTPUT chain
$IPT --flush FORWARD #Flush the FORWARD chain
$IPT -t nat --flush #Flush the nat table
$IPT -t mangle --flush #Flush the mangle table
$IPT --delete-chain #Delete any pre-existing chains
$IPT -t nat --delete-chain #Delete any pre-existing chains from nat
table
$IPT -t mangle --delete-chain #Delete any pre-existing chains from the
mangle table

#Setting the default Policies for the chains
$IPT --policy INPUT DROP #Setting the default policy for INPUT chain
$IPT --policy FORWARD DROP #Setting the default plicy for FORWARD chain
$IPT --policy OUTPUT DROP #Setting the default policy for the OUTPUT
chain

#Setting Nat and mangle to default policy ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT

#Accepting traffic for and to internal interface
$IPT -A INPUT -i lo -j ACCEPT #Allowing unlimited loopback traffic
$IPT -A OUTPUT -o lo -j ACCEPT #Allowing unlimited loopback traffic

# SNAT the Private LAN
$IPT -t nat -A POSTROUTING -o eth0 -s 192.168.111.0/24 -j SNAT --to
$EXTERNALIPFORETH0 $IPT -t nat -A POSTROUTING -o eth2 -s 192.168.111.0/24 -j
SNAT --to $EXTERNALIPFORETH2

$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# TO ALLOW ALL HTTP TRAFFIC OUT ETH2
$IPT -t filter -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state
NEW -j ACCEPT

you need to switch off the rp_filter.

HTH

Kind Regards
Brent Clark
Received on Tue Jan 24 2006 - 03:34:20 MST