Vyatta – Forwarding traffic to Squid
Oct 24
Business, Internet, Networks, Vyatta Systems, Web/Tech 8 Comments
If you are using Vyatta and want to transparently forward traffic at the router level to a separate Squid proxy you will find that the standard firewall configuration in Vyatta just isn’t up to the job (yet!).
The workaround is to use the /etc/rc.local file to make IPTables do the job for you, heres how we did it:
#!/bin/sh -e
#
# rc.local
#
# Modified to forward to squid cache
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will “exit 0″ on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
IPTABLES=”/sbin/iptables”
IP=”/sbin/ip”
SQUID=”10.1.1.1″ # Internal address of our squid box
# Webcache jump to cache
echo Setting up jump to webcache
# clear any existing entries
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
# Don’t mark webcache traffic
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -s $SQUID
# Internal subnets to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -d 10.0.0.0/8 #Don’t cache internal
# External sites to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -d 1.2.3.4 #IP address of site you want to exclude from going to the cache
# Now mark our traffic, we have a number of subnets on virtual interfaces we want to grab, if you aren’t using vifs simply use eth1 or whatever you are using
$IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.102 -p tcp –dport 80
$IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.103 -p tcp –dport 80
# Send the marked traffic to table 2 (you can actaully use whatever table you want, i used 2 because we are using eth2 for the subnet squid is on.
$IP rule add fwmark 3 table 2
# set the default route for table 2, change eth2 for the interface you are on
$IP route add default via $SQUID dev eth2 table 2
# Make sure we exit
exit 0
Oct 24, 2007 @ 14:30:00
Ben – would you consider submitting this script to our community wiki here:
http://www.vyatta.com/twiki/bin/view/Community/CommunityEnhancements
Thanks!
Nov 04, 2007 @ 12:23:45
When I have a minute I will!
Sep 20, 2008 @ 06:18:34
This supossed that squid listen in port 80 in $SQUID (I think), i tryng to do dnat the www packets in vyatta but dont work, i will test your script
thanks
Jan 06, 2009 @ 03:23:02
This seems to assume a seperate box running squid vs running squid on the vyatta host. The seperate squid box needs to either be listening on port 80 or redirecting to it’s squid port in it’s own IPTABLES configuration. I’m more familiar with configuring DNAT to deal with this by redirecting port 80 access to 3128 on another host. This should be possible from the Vyatta configs I’d imagine. Has anybody tried it with any luck?
Jan 06, 2009 @ 21:22:47
Sorry yes I failed to mention that is another nat rule on the squid box itself!
You need something like:
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
On the squid box.
Interestingly the new beta of Vyatta I am currently testing (Islavista), has squid built in, its pretty good but currently is a little restrictive for the more advanced squid tamers of us out there… I am sure though Vyatta as usual will come up with the goods…
Jan 07, 2009 @ 21:17:08
Hi Ben,
Sorry is my question is too stupid, but I have not tried yet your script, but wouldn’t be easier if we redirect to port 3128 directly from Vyatta, something like this, $IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.102 -p tcp –dport 3128?
I think that I will try your script today.
Thanks for helping newbie people like me.
Andre
Sep 08, 2009 @ 02:56:57
Hello Ben, Thank for your tutorial, how if i using same vyatta including squid in one server.
in your tutorial i see that its for separate squid box, how if same squid box tks