573 lines
10 KiB
HTML
573 lines
10 KiB
HTML
|
<HTML
|
||
|
><HEAD
|
||
|
><TITLE
|
||
|
>Transparent web-caching using netfilter,
|
||
|
iproute2, ipchains and
|
||
|
squid</TITLE
|
||
|
><META
|
||
|
NAME="GENERATOR"
|
||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
||
|
REL="HOME"
|
||
|
TITLE="Linux Advanced Routing & Traffic Control HOWTO"
|
||
|
HREF="index.html"><LINK
|
||
|
REL="UP"
|
||
|
TITLE="Cookbook"
|
||
|
HREF="lartc.cookbook.html"><LINK
|
||
|
REL="PREVIOUS"
|
||
|
TITLE="Prioritizing interactive traffic"
|
||
|
HREF="lartc.cookbook.interactive-prio.html"><LINK
|
||
|
REL="NEXT"
|
||
|
TITLE="Circumventing Path MTU Discovery issues with per route MTU settings"
|
||
|
HREF="lartc.cookbook.mtu-discovery.html"></HEAD
|
||
|
><BODY
|
||
|
CLASS="SECT1"
|
||
|
BGCOLOR="#FFFFFF"
|
||
|
TEXT="#000000"
|
||
|
LINK="#0000FF"
|
||
|
VLINK="#840084"
|
||
|
ALINK="#0000FF"
|
||
|
><DIV
|
||
|
CLASS="NAVHEADER"
|
||
|
><TABLE
|
||
|
SUMMARY="Header navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TH
|
||
|
COLSPAN="3"
|
||
|
ALIGN="center"
|
||
|
>Linux Advanced Routing & Traffic Control HOWTO</TH
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="lartc.cookbook.interactive-prio.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="80%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="bottom"
|
||
|
>Chapter 15. Cookbook</TD
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="lartc.cookbook.mtu-discovery.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"></DIV
|
||
|
><DIV
|
||
|
CLASS="SECT1"
|
||
|
><H1
|
||
|
CLASS="SECT1"
|
||
|
><A
|
||
|
NAME="LARTC.COOKBOOK.SQUID"
|
||
|
></A
|
||
|
>15.5. Transparent web-caching using <SPAN
|
||
|
CLASS="APPLICATION"
|
||
|
>netfilter</SPAN
|
||
|
>,
|
||
|
<SPAN
|
||
|
CLASS="APPLICATION"
|
||
|
>iproute2</SPAN
|
||
|
>, <SPAN
|
||
|
CLASS="APPLICATION"
|
||
|
>ipchains</SPAN
|
||
|
> and
|
||
|
<SPAN
|
||
|
CLASS="APPLICATION"
|
||
|
>squid</SPAN
|
||
|
></H1
|
||
|
><P
|
||
|
>This section was sent in by reader Ram Narula from Internet for Education
|
||
|
(Thailand).</P
|
||
|
><P
|
||
|
>The regular technique in accomplishing this in Linux
|
||
|
is probably with use of ipchains AFTER making sure
|
||
|
that the "outgoing" port 80(web) traffic gets routed through
|
||
|
the server running squid.</P
|
||
|
><P
|
||
|
>There are 3 common methods to make sure "outgoing"
|
||
|
port 80 traffic gets routed to the server running squid
|
||
|
and 4th one is being introduced here.</P
|
||
|
><P
|
||
|
><P
|
||
|
></P
|
||
|
><DIV
|
||
|
CLASS="VARIABLELIST"
|
||
|
><DL
|
||
|
><DT
|
||
|
>Making the gateway router do it.</DT
|
||
|
><DD
|
||
|
><P
|
||
|
>If you can tell your gateway router to
|
||
|
match packets that has outgoing destination port
|
||
|
of 80 to be sent to the IP address of squid server.</P
|
||
|
><P
|
||
|
>BUT</P
|
||
|
><P
|
||
|
>This would put additional load on the router and
|
||
|
some commercial routers might not even support this.</P
|
||
|
></DD
|
||
|
><DT
|
||
|
>Using a Layer 4 switch.</DT
|
||
|
><DD
|
||
|
><P
|
||
|
>Layer 4 switches can handle this without any problem.</P
|
||
|
><P
|
||
|
>BUT</P
|
||
|
><P
|
||
|
>The cost for this equipment is usually very high. Typical
|
||
|
layer 4 switch would normally cost more than
|
||
|
a typical router+good linux server.</P
|
||
|
></DD
|
||
|
><DT
|
||
|
>Using cache server as network's gateway.</DT
|
||
|
><DD
|
||
|
><P
|
||
|
>You can force ALL traffic through cache server.</P
|
||
|
><P
|
||
|
>BUT</P
|
||
|
><P
|
||
|
>This is quite risky because Squid does
|
||
|
utilize lots of CPU power which might
|
||
|
result in slower over-all network performance
|
||
|
or the server itself might crash and no one on the
|
||
|
network will be able to access the Internet if
|
||
|
that occurs.</P
|
||
|
></DD
|
||
|
><DT
|
||
|
>Linux+NetFilter router.</DT
|
||
|
><DD
|
||
|
><P
|
||
|
>By using NetFilter another technique can be implemented
|
||
|
which is using NetFilter for "mark"ing the packets
|
||
|
with destination port 80 and using iproute2 to
|
||
|
route the "mark"ed packets to the Squid server.</P
|
||
|
></DD
|
||
|
></DL
|
||
|
></DIV
|
||
|
>
|
||
|
|
||
|
<TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
>|----------------|
|
||
|
| Implementation |
|
||
|
|----------------|
|
||
|
|
||
|
Addresses used
|
||
|
10.0.0.1 naret (NetFilter server)
|
||
|
10.0.0.2 silom (Squid server)
|
||
|
10.0.0.3 donmuang (Router connected to the Internet)
|
||
|
10.0.0.4 kaosarn (other server on network)
|
||
|
10.0.0.5 RAS
|
||
|
10.0.0.0/24 main network
|
||
|
10.0.0.0/19 total network
|
||
|
|
||
|
|---------------|
|
||
|
|Network diagram|
|
||
|
|---------------|
|
||
|
|
||
|
Internet
|
||
|
|
|
||
|
donmuang
|
||
|
|
|
||
|
------------hub/switch----------
|
||
|
| | | |
|
||
|
naret silom kaosarn RAS etc.</PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
>
|
||
|
|
||
|
First, make all traffic pass through naret by making
|
||
|
sure it is the default gateway except for silom.
|
||
|
Silom's default gateway has to be donmuang (10.0.0.3) or
|
||
|
this would create web traffic loop.</P
|
||
|
><P
|
||
|
>(all servers on my network had 10.0.0.1 as the default gateway
|
||
|
which was the former IP address of donmuang router so what I did
|
||
|
was changed the IP address of donmuang to 10.0.0.3 and gave
|
||
|
naret ip address of 10.0.0.1)</P
|
||
|
><P
|
||
|
> <TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
>Silom
|
||
|
-----
|
||
|
-setup squid and ipchains </PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
> </P
|
||
|
><P
|
||
|
>Setup Squid server on silom, make sure it does support
|
||
|
transparent caching/proxying, the default port is usually
|
||
|
3128, so all traffic for port 80 has to be redirected to port
|
||
|
3128 locally. This can be done by using ipchains with the following:</P
|
||
|
><P
|
||
|
> <TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
>silom# ipchains -N allow1
|
||
|
silom# ipchains -A allow1 -p TCP -s 10.0.0.0/19 -d 0/0 80 -j REDIRECT 3128
|
||
|
silom# ipchains -I input -j allow1</PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
> </P
|
||
|
><P
|
||
|
> </P
|
||
|
><P
|
||
|
>Or, in netfilter lingo:
|
||
|
|
||
|
<TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
>silom# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128</PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
> </P
|
||
|
><P
|
||
|
>(note: you might have other entries as well)</P
|
||
|
><P
|
||
|
>For more information on setting Squid server please refer
|
||
|
to Squid FAQ page on <A
|
||
|
HREF="http://squid.nlanr.net"
|
||
|
TARGET="_top"
|
||
|
>http://squid.nlanr.net</A
|
||
|
>).</P
|
||
|
><P
|
||
|
>Make sure ip forwarding is enabled on this server and the default
|
||
|
gateway for this server is donmuang router (NOT naret).</P
|
||
|
><P
|
||
|
> <TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
>Naret
|
||
|
-----
|
||
|
-setup iptables and iproute2
|
||
|
-disable icmp REDIRECT messages (if needed)</PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
> </P
|
||
|
><P
|
||
|
> <P
|
||
|
></P
|
||
|
><OL
|
||
|
TYPE="1"
|
||
|
><LI
|
||
|
><P
|
||
|
>"Mark" packets of destination port 80 with value 2
|
||
|
|
||
|
<TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="90%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
>
|
||
|
naret# iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 \
|
||
|
-j MARK --set-mark 2</PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
> </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Setup iproute2 so it will route packets with "mark" 2 to silom
|
||
|
|
||
|
<TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="90%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
>naret# echo 202 www.out >> /etc/iproute2/rt_tables
|
||
|
naret# ip rule add fwmark 2 table www.out
|
||
|
naret# ip route add default via 10.0.0.2 dev eth0 table www.out
|
||
|
naret# ip route flush cache </PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
>
|
||
|
</P
|
||
|
><P
|
||
|
>If donmuang and naret is on the same subnet then
|
||
|
naret should not send out icmp REDIRECT messages.
|
||
|
In this case it is, so icmp REDIRECTs has to be
|
||
|
disabled by:
|
||
|
|
||
|
<TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="90%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
>naret# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
|
||
|
naret# echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
|
||
|
naret# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects </PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
> </P
|
||
|
></LI
|
||
|
></OL
|
||
|
> </P
|
||
|
><P
|
||
|
>The setup is complete, check the configuration</P
|
||
|
><P
|
||
|
> <TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
>On naret:
|
||
|
|
||
|
naret# iptables -t mangle -L
|
||
|
Chain PREROUTING (policy ACCEPT)
|
||
|
target prot opt source destination
|
||
|
MARK tcp -- anywhere anywhere tcp dpt:www MARK set 0x2
|
||
|
|
||
|
Chain OUTPUT (policy ACCEPT)
|
||
|
target prot opt source destination
|
||
|
|
||
|
naret# ip rule ls
|
||
|
0: from all lookup local
|
||
|
32765: from all fwmark 2 lookup www.out
|
||
|
32766: from all lookup main
|
||
|
32767: from all lookup default
|
||
|
|
||
|
naret# ip route list table www.out
|
||
|
default via 203.114.224.8 dev eth0
|
||
|
|
||
|
naret# ip route
|
||
|
10.0.0.1 dev eth0 scope link
|
||
|
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.1
|
||
|
127.0.0.0/8 dev lo scope link
|
||
|
default via 10.0.0.3 dev eth0
|
||
|
|
||
|
(make sure silom belongs to one of the above lines, in this case
|
||
|
it's the line with 10.0.0.0/24)
|
||
|
|
||
|
|------|
|
||
|
|-DONE-|
|
||
|
|------|
|
||
|
</PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
> </P
|
||
|
><DIV
|
||
|
CLASS="SECT2"
|
||
|
><H2
|
||
|
CLASS="SECT2"
|
||
|
><A
|
||
|
NAME="AEN1906"
|
||
|
></A
|
||
|
>15.5.1. Traffic flow diagram after implementation</H2
|
||
|
><TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
> |-----------------------------------------|
|
||
|
|Traffic flow diagram after implementation|
|
||
|
|-----------------------------------------|
|
||
|
|
||
|
INTERNET
|
||
|
/\
|
||
|
||
|
||
|
\/
|
||
|
-----------------donmuang router---------------------
|
||
|
/\ /\ ||
|
||
|
|| || ||
|
||
|
|| \/ ||
|
||
|
naret silom ||
|
||
|
*destination port 80 traffic=========>(cache) ||
|
||
|
/\ || ||
|
||
|
|| \/ \/
|
||
|
\\===================================kaosarn, RAS, etc. </PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><P
|
||
|
>Note that the network is asymmetric as there is one extra hop on
|
||
|
general outgoing path.</P
|
||
|
><P
|
||
|
> <TABLE
|
||
|
BORDER="1"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="SCREEN"
|
||
|
>Here is run down for packet traversing the network from kaosarn
|
||
|
to and from the Internet.
|
||
|
|
||
|
For web/http traffic:
|
||
|
kaosarn http request->naret->silom->donmuang->internet
|
||
|
http replies from Internet->donmuang->silom->kaosarn
|
||
|
|
||
|
For non-web/http requests(eg. telnet):
|
||
|
kaosarn outgoing data->naret->donmuang->internet
|
||
|
incoming data from Internet->donmuang->kaosarn</PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
> </P
|
||
|
></DIV
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="NAVFOOTER"
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"><TABLE
|
||
|
SUMMARY="Footer navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="lartc.cookbook.interactive-prio.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="index.html"
|
||
|
ACCESSKEY="H"
|
||
|
>Home</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="lartc.cookbook.mtu-discovery.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
>Prioritizing interactive traffic</TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="lartc.cookbook.html"
|
||
|
ACCESSKEY="U"
|
||
|
>Up</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
>Circumventing Path MTU Discovery issues with per route MTU settings</TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
></BODY
|
||
|
></HTML
|
||
|
>
|