[tproxy] Tproxy, SQUID, NAT and IMQ on same box ?

NTPT NTPT at seznam.cz
Mon May 5 09:24:50 CEST 2008 

  ------------ Původní zpráva ------------
>  Od: Ming-Ching Tiew <mingching.tiew at redtone.com>
>  Předmět: Re: [tproxy] Tproxy, SQUID, NAT and IMQ on same box ?
>  Datum: 05.5.2008 08:15:59
>  ----------------------------------------
>  NTPT wrote:
>  > Is it posssible to setup TPROXY, SQUID, NAT  and IMQ on the same box ?
>  > 
>  > I need to have squid transparent proxy  on the SAME box  where
>  > traffic shaping  with IMQ  and NAT is done ? 
>  > 
>  > Anny suggestions, known working versions etc ?
>  > 
>  
>  I believe you can do it with tproxy 2.x ( kernel 2.6.18 ) 
>  tproxy 4.0.3 ( kernel 2.6.22)  and tproxy 4.1.0 ( kernel 2.6.24 ).


The problem is that I  do not know new packet flow trough kernel with aplied ttproxy patch
For IMQ there is  need to hook IMQ in the right place in the kernel relatively to  (de)NAT to be able to shape outgoing traffic. So I guess there is important thing to know,especially where in the kernel the output adress of the squid is rewrittened by tproxy (relatively to NAT and IMQ hooks) , because order of this IS important. (please execuse my bad english)


>  IMQ is not available on kernel 2.6.25 yet, but it is not totally
>  impossible to use a replacement or a work-in-progress version.
>  In all cases, it is not a straight forward thing. You need to get 
>  ready to patch, patch and patch. But with determination, it will work ! 
>  
>  Out of curiosity, if you are doing tproxy, why do you need to do NAT ?
>  Do you have multiple path to the internet ?

For other, non http traffic ? :-)
 
Idea is: customers on private network range connected to router box with traffic shaping ,  web traffic intercepted to squid, NAT on the same box , with IMQ. So in this setup I need tproxy  and squid to preserve original source and destination adresses (via tproxy) and then  send this traffic to IMQ with attached qdisc.

Of course I can have two boxes, one for NAT one for squid, tproxy and shaping, but in some places it is  not practical... 


>  
>  :-)
>  
>  _______________________________________________
>  tproxy mailing list
>  tproxy at lists.balabit.hu
>  https://lists.balabit.hu/mailman/listinfo/tproxy
>  
>  
>

More information about the tproxy mailing list