1. advanced routing question (squid/policy based routing)
while setting up a second link to another ISP, I came up with the idea to
perform policy based routing.
All of the web traffic should go via a flatrate DSL link, whereas all the
rest is routed via a 2Mbit/s CISCO
The configuration is as follows: we have a network with public IP adresses
| 2Mbit/s link to ISP
INTERNET via DSL ---------- DSL HW ------------------ LINUX FIREWALL
Internal Network (20 hosts)
What I try to achieve is that all outgoing traffic from a.b.c.x/27 port 80
is routed via
the HW-DSL-Router. So I installed a SQUID in transparent mode on the
firewall and entered
the following rule:
iptables -t nat -A PREROUTING -i eth1 -p tcp -s
a.b.c.x&255.255.255.224 --dport 80 -j REDIRECT --to-port 3128
If I do not modify any routing I have a perfect transparent webserver.
Now I add something more sophisticated: I configure squid to use 192.168.1.2
as the outbound
interface with the squid configure option tcp_outgoing_adress and add the
following policy based
iptables -t mangle -A OUTPUT -s 192.168.1.2 -p tcp --dport 80 -j
MARK --set-mark 5
Now the packets become marked. I add the rule:
ip rule add fwmark 5 table dsl_out
ip route add default via 192.168.1.1 dev eth4 table dsl_out
Now what happens now ? I make a TCP-dump on an external webserver and on the
link between firewall
and HW-DSL-ROUTER. I open a http-connection from a.b.c.d. It gets redirected
to the squid, which in turn
opens a TCP-connection via the DSL-router. On the external Webserver I see
SYN-packets arriving from the
external address of the DSL-router and the webserver answers with a SYN/ACK.
The SYN/ACK is natted again
and is inbound on the link between DSL-router and firewall.
But it never arrives at the SQUID. Half a second later SQUID retransmitts
the SYN and the link is never established.
Before I forget: beforehand I cleared all firewalling rules on eth4 :
iptables -I INPUT -i eth4 -j ACCEPT
What am I doing wrong ? Any idea ?
TCP-dumps of all links are available.
Thanks for your help...
Marc Peter Althoff
2. Modules and Debian 2.1 -- why doesn't it work??
3. policy based routing
4. upgrading 1.01 -> 1.03 (SLS)
5. policy-based routing and NAT with iptables
6. problems with libgdbm.so.2
7. Policy Based Routing
8. bootmagic-mbr-odd error i dont know what to do about...
9. Policy based routing over serial links
10. Policy based routing
11. Traffic shaper and policy based routing
12. policy routing (routing based on source IP)
13. Policy routing based on interface is not working?