squid ipfw

P

pdono

Hi, I was wondering how http traffic on the gateway can be caught and redirected with ipfw/nat.
my setup is as follows:

Code: 
                    if2                                              if1
lan ------->(rl0 192.168.1.0) freebsd gateway(sis0 76.0.0.0) --------> internet                    
                                        |
                                        |
                                        |
                                        |
                                      192.168.1.110 ---------------> internet
                                      squid server
on the gateway outside interface i have:
Code: 
natd:
interface sis0
use_sockets yes
same_ports yes

I have a second instance of natd on rl0.
Code: 
natd -v -n rl0 -p 8669 -redirect_address 192.168.1.110 0.0.0.0

the ipfw rules are:
Code: 
divert 8668 ip from any to any via sis0
allow all from any to any via sis0
divert 8669 tcp from 192.168.1.0/24 to any dst-port 80 via rl0

tcpdump shows the gateway forwarding to the destination and not to squid.

does anyone have any idea where this is going wrong?
 
yes, at my first attempt i had
Code: 
ipfw add fwd 192.168.1.110,5128 tcp from 192.168.1.0:255.255.255.0 to any 80
( i have squid on port 5128)

tcpdump shows the gateway forwarding the packets to the destination.
tcpdump on the squid machine doesn't show the packets arriving at all.

at first i figured the ipfw fwd would work and it did on the gateway with squid listening on a third interface. after reading around a bit, i seen an article on the freebsd site that mentioned nat and thought perhaps that may work.
but im doing something wrong and isn't working for me for sure :)
 
Code: 
tcpdump shows the gateway forwarding the packets to the destination.

edit: tcpdump shows the gateway forwarding the packets to the destination web address not to the squid server.
 
Your squid server is a separate box from your firewall? And it's plugged into the same switch as the firewall and the rest of the LAN systems? Meaning, you only have 2 interfaces in your firewall. Correct?
 
Yes phoenix, that is correct. The gateway/firewall and the squid server are two separate units that are both connected to the same switch.
The gateway has two nics, one public and one private.
 
OK. All that's missing, then, is to configure a gre(4) interface on the FreeBSD router and the Squid box, and to forward the traffic through that interface. When setting up the gre0 interface, you configure it as a WCCP (web cache control protocol, or something like that) transport.

I've never done that, personally. But there are several guides on doing so on the Squid FAQ, and around the Internet.

Just search for "freebsd ipfw wccp squid" for the details.
 
yes, that seems to be exactly what i need. I will read up on this and post back my results.
many thanks
 
ok, that worked out well.

i created a (another) private alias on the lan side interface of my gateway machine.
Code: 
ifconfig rl1 alias 10.0.0.2

since gre was already compiled into the kernel it was just a matter of
Code: 
           ifconfig gre0 create
           ifconfig gre0 10.0.0.2 10.0.0.1 link1
           ifconfig gre0 tunnel 192.168.1.114 192.168.1.110
           route add -net 10.0.0 -netmask 255.255.255.0 10.0.0.1

added the rule to ipfw
Code: 
ipfw add 100 fwd 10.0.0.1,5128 tcp from any to any 80
5128 is the port i have squid on.

it was the same thing on the squid server side.
set squid to listen on 10.0.0.1

set the alias
Code: 
ifconfig bge1 alias 10.0.0.1
and created gre0
Code: 
           ifconfig gre0 create
           ifconfig gre0 10.0.0.1 10.0.0.2 link1
           ifconfig gre0 tunnel 192.168.1.110 192.168.1.114
           route add -net 10.0.0 -netmask 255.255.255.0 10.0.0.2

and tcpdump now shows traffic being passed and hitting squid.

I have a couple access errors that squid is throwing back but i met my goal.
The man page as always really helps out.
 
You must log in or register to reply here.
Back
Top