[tproxy] Tproxy, SQUID, NAT and IMQ on same box ?

NTPT NTPT at seznam.cz
Mon May 5 10:11:36 CEST 2008


>  ------------ Původní zpráva ------------
>  Od: Ming-Ching Tiew <mingching.tiew at redtone.com>
>  Předmět: Re: [tproxy] Tproxy, SQUID, NAT and IMQ on same box ?
>  Datum: 05.5.2008 09:36:19
>  ----------------------------------------
>  NTPT wrote:
>  > 
>  > Idea is: customers on private network range connected to router box
>  > with traffic shaping ,  web traffic intercepted to squid, NAT on the
>  > same box , with IMQ. So in this setup I need tproxy  and squid to
>  > preserve original source and destination adresses (via tproxy) and
>  > then  send this traffic to IMQ with attached qdisc.    
>  > 
>  
>  There is no need for tproxy. Destination addresses are always preserved 
>  whether you are using or not using tproxy. But you can't preserve the original
>  source IP because you are supposed to do NAT.
>  
>  I guess you can forget about using tproxy in the first place, that will make
>  your problem a much simpler than it seems.

I thing there is a misunderestanding due to my wrong english.

We have similar setups running on some boxes without squid (some services, IMQ, NAT)

But using a web proxy have known  weakness, because proxy act as a client  and if somebody request a lagre file from internet via proxy, it can effectively bypass our traffic shaper, hog bandwidth with all negative side effects (it is a known side effect of using a proxy server ). For running a proxy server in our network we NEED to adress this issue first. And AFAIK this is task for tproxy was created for. 

So we need to squid intercept connection from customer to internet, mimic itself as a customer (source and destination IP,  AFAIK this is how tproxy+ squid patches works),  dataflow from/to customer (and also from/to squid, that looks like it was from/to customer)  "route"  trough traffic shaping  (HTB etc) 

I need to preserve original source addrss of customers  for traffic shaping  only. 

I know that setup with two boxes, one separate for NAT and one separate  for traffic shaping and transparent proxying  like this 

to internet    <--------| NAT box | ------------- | traffic shaper box with intercepting proxy (squid + tproxy)|  -----------> to customers

will work without messing with IMQ hook orders and kernel packet flow,  but on most places we can not use two separate boxes.



PS> execuse mz wrong english 
>  
>  Cheers.
>  
>  
>  _______________________________________________
>  tproxy mailing list
>  tproxy at lists.balabit.hu
>  https://lists.balabit.hu/mailman/listinfo/tproxy
>  
>  
>  


More information about the tproxy mailing list