Tproxy, SQUID, NAT and IMQ on same box ?
Is it posssible to setup TPROXY, SQUID, NAT and IMQ on the same box ? I need to have squid transparent proxy on the SAME box where traffic shaping with IMQ and NAT is done ? Anny suggestions, known working versions etc ? Thanx for help.
NTPT wrote:
Is it posssible to setup TPROXY, SQUID, NAT and IMQ on the same box ?
I need to have squid transparent proxy on the SAME box where traffic shaping with IMQ and NAT is done ?
Anny suggestions, known working versions etc ?
I believe you can do it with tproxy 2.x ( kernel 2.6.18 ) tproxy 4.0.3 ( kernel 2.6.22) and tproxy 4.1.0 ( kernel 2.6.24 ). IMQ is not available on kernel 2.6.25 yet, but it is not totally impossible to use a replacement or a work-in-progress version. In all cases, it is not a straight forward thing. You need to get ready to patch, patch and patch. But with determination, it will work ! Out of curiosity, if you are doing tproxy, why do you need to do NAT ? Do you have multiple path to the internet ? :-)
------------ Původní zpráva ------------
Od: Ming-Ching Tiew <mingching.tiew@redtone.com> Předmět: Re: [tproxy] Tproxy, SQUID, NAT and IMQ on same box ? Datum: 05.5.2008 08:15:59 ---------------------------------------- NTPT wrote:
Is it posssible to setup TPROXY, SQUID, NAT and IMQ on the same box ?
I need to have squid transparent proxy on the SAME box where traffic shaping with IMQ and NAT is done ?
Anny suggestions, known working versions etc ?
I believe you can do it with tproxy 2.x ( kernel 2.6.18 ) tproxy 4.0.3 ( kernel 2.6.22) and tproxy 4.1.0 ( kernel 2.6.24 ).
The problem is that I do not know new packet flow trough kernel with aplied ttproxy patch For IMQ there is need to hook IMQ in the right place in the kernel relatively to (de)NAT to be able to shape outgoing traffic. So I guess there is important thing to know,especially where in the kernel the output adress of the squid is rewrittened by tproxy (relatively to NAT and IMQ hooks) , because order of this IS important. (please execuse my bad english)
IMQ is not available on kernel 2.6.25 yet, but it is not totally impossible to use a replacement or a work-in-progress version. In all cases, it is not a straight forward thing. You need to get ready to patch, patch and patch. But with determination, it will work !
Out of curiosity, if you are doing tproxy, why do you need to do NAT ? Do you have multiple path to the internet ?
For other, non http traffic ? :-) Idea is: customers on private network range connected to router box with traffic shaping , web traffic intercepted to squid, NAT on the same box , with IMQ. So in this setup I need tproxy and squid to preserve original source and destination adresses (via tproxy) and then send this traffic to IMQ with attached qdisc. Of course I can have two boxes, one for NAT one for squid, tproxy and shaping, but in some places it is not practical...
:-)
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
NTPT wrote:
Idea is: customers on private network range connected to router box with traffic shaping , web traffic intercepted to squid, NAT on the same box , with IMQ. So in this setup I need tproxy and squid to preserve original source and destination adresses (via tproxy) and then send this traffic to IMQ with attached qdisc.
There is no need for tproxy. Destination addresses are always preserved whether you are using or not using tproxy. But you can't preserve the original source IP because you are supposed to do NAT. I guess you can forget about using tproxy in the first place, that will make your problem a much simpler than it seems. Cheers.
------------ Původní zpráva ------------ Od: Ming-Ching Tiew <mingching.tiew@redtone.com> Předmět: Re: [tproxy] Tproxy, SQUID, NAT and IMQ on same box ? Datum: 05.5.2008 09:36:19 ---------------------------------------- NTPT wrote:
Idea is: customers on private network range connected to router box with traffic shaping , web traffic intercepted to squid, NAT on the same box , with IMQ. So in this setup I need tproxy and squid to preserve original source and destination adresses (via tproxy) and then send this traffic to IMQ with attached qdisc.
There is no need for tproxy. Destination addresses are always preserved whether you are using or not using tproxy. But you can't preserve the original source IP because you are supposed to do NAT.
I guess you can forget about using tproxy in the first place, that will make your problem a much simpler than it seems.
I thing there is a misunderestanding due to my wrong english. We have similar setups running on some boxes without squid (some services, IMQ, NAT) But using a web proxy have known weakness, because proxy act as a client and if somebody request a lagre file from internet via proxy, it can effectively bypass our traffic shaper, hog bandwidth with all negative side effects (it is a known side effect of using a proxy server ). For running a proxy server in our network we NEED to adress this issue first. And AFAIK this is task for tproxy was created for. So we need to squid intercept connection from customer to internet, mimic itself as a customer (source and destination IP, AFAIK this is how tproxy+ squid patches works), dataflow from/to customer (and also from/to squid, that looks like it was from/to customer) "route" trough traffic shaping (HTB etc) I need to preserve original source addrss of customers for traffic shaping only. I know that setup with two boxes, one separate for NAT and one separate for traffic shaping and transparent proxying like this to internet <--------| NAT box | ------------- | traffic shaper box with intercepting proxy (squid + tproxy)| -----------> to customers will work without messing with IMQ hook orders and kernel packet flow, but on most places we can not use two separate boxes. PS> execuse mz wrong english
Cheers.
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
NTPT wrote:
I need to preserve original source addrss of customers for traffic shaping only.
Still, you ***DON'T NEED*** tproxy. Assuming you have a box with two ethernets, eth0 and eth1. eth0 is facing the customer's LAN, and eth1 is facing the internet. You can shape the traffic at eth0, it is the place where you have original identity of the traffic. You would use eth0 to shape download traffic, this will be the primary concern for most internet connections. If you like, you can use imq to shape upload traffic at eth0. But you could use the delay_pool capability in squid to control the traffic. Cheers.
On Monday 05 May 2008 15:35:22 Ming-Ching Tiew wrote:
There is no need for tproxy. Destination addresses are always preserved whether you are using or not using tproxy. But you can't preserve the original source IP because you are supposed to do NAT.
I guess you can forget about using tproxy in the first place, that will make your problem a much simpler than it seems.
Additional information.... Since IFB is included in most recent kernel (at lease in my opensuse 10.3), in most cases, we don't need IMQ either. Hopefully, your problem become much much simpler than it seems. -- Salam, Adi Nugroho - http://adi.internux.co.id/ iNterNUX --- http://www.internux.net.id/ Jalan Dr. Sam Ratulangi No. 53J Makassar Tel. +62-411-834690 Fax. +62-411-834691 CDMA:+62-411-6109535 GSM:+62-816-27-9193
participants (3)
-
Adi Nugroho
-
Ming-Ching Tiew
-
NTPT