LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.squid.html

573 lines
10 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Transparent web-caching using netfilter,
iproute2, ipchains and
squid</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Linux Advanced Routing &#38; Traffic Control HOWTO"
HREF="index.html"><LINK
REL="UP"
TITLE="Cookbook"
HREF="lartc.cookbook.html"><LINK
REL="PREVIOUS"
TITLE="Prioritizing interactive traffic"
HREF="lartc.cookbook.interactive-prio.html"><LINK
REL="NEXT"
TITLE="Circumventing Path MTU Discovery issues with per route MTU settings"
HREF="lartc.cookbook.mtu-discovery.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Linux Advanced Routing &#38; Traffic Control HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="lartc.cookbook.interactive-prio.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 15. Cookbook</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="lartc.cookbook.mtu-discovery.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="LARTC.COOKBOOK.SQUID"
></A
>15.5. Transparent web-caching using <SPAN
CLASS="APPLICATION"
>netfilter</SPAN
>,
<SPAN
CLASS="APPLICATION"
>iproute2</SPAN
>, <SPAN
CLASS="APPLICATION"
>ipchains</SPAN
> and
<SPAN
CLASS="APPLICATION"
>squid</SPAN
></H1
><P
>This section was sent in by reader Ram Narula from Internet for Education
(Thailand).</P
><P
>The regular technique in accomplishing this in Linux
is probably with use of ipchains AFTER making sure
that the "outgoing" port 80(web) traffic gets routed through
the server running squid.</P
><P
>There are 3 common methods to make sure "outgoing"
port 80 traffic gets routed to the server running squid
and 4th one is being introduced here.</P
><P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>Making the gateway router do it.</DT
><DD
><P
>If you can tell your gateway router to
match packets that has outgoing destination port
of 80 to be sent to the IP address of squid server.</P
><P
>BUT</P
><P
>This would put additional load on the router and
some commercial routers might not even support this.</P
></DD
><DT
>Using a Layer 4 switch.</DT
><DD
><P
>Layer 4 switches can handle this without any problem.</P
><P
>BUT</P
><P
>The cost for this equipment is usually very high. Typical
layer 4 switch would normally cost more than
a typical router+good linux server.</P
></DD
><DT
>Using cache server as network's gateway.</DT
><DD
><P
>You can force ALL traffic through cache server.</P
><P
>BUT</P
><P
>This is quite risky because Squid does
utilize lots of CPU power which might
result in slower over-all network performance
or the server itself might crash and no one on the
network will be able to access the Internet if
that occurs.</P
></DD
><DT
>Linux+NetFilter router.</DT
><DD
><P
>By using NetFilter another technique can be implemented
which is using NetFilter for "mark"ing the packets
with destination port 80 and using iproute2 to
route the "mark"ed packets to the Squid server.</P
></DD
></DL
></DIV
>
<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>|----------------|
| Implementation |
|----------------|
Addresses used
10.0.0.1 naret (NetFilter server)
10.0.0.2 silom (Squid server)
10.0.0.3 donmuang (Router connected to the Internet)
10.0.0.4 kaosarn (other server on network)
10.0.0.5 RAS
10.0.0.0/24 main network
10.0.0.0/19 total network
|---------------|
|Network diagram|
|---------------|
Internet
|
donmuang
|
------------hub/switch----------
| | | |
naret silom kaosarn RAS etc.</PRE
></FONT
></TD
></TR
></TABLE
>
First, make all traffic pass through naret by making
sure it is the default gateway except for silom.
Silom's default gateway has to be donmuang (10.0.0.3) or
this would create web traffic loop.</P
><P
>(all servers on my network had 10.0.0.1 as the default gateway
which was the former IP address of donmuang router so what I did
was changed the IP address of donmuang to 10.0.0.3 and gave
naret ip address of 10.0.0.1)</P
><P
>&#13;<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>Silom
-----
-setup squid and ipchains </PRE
></FONT
></TD
></TR
></TABLE
>&#13;</P
><P
>Setup Squid server on silom, make sure it does support
transparent caching/proxying, the default port is usually
3128, so all traffic for port 80 has to be redirected to port
3128 locally. This can be done by using ipchains with the following:</P
><P
>&#13;<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>silom# ipchains -N allow1
silom# ipchains -A allow1 -p TCP -s 10.0.0.0/19 -d 0/0 80 -j REDIRECT 3128
silom# ipchains -I input -j allow1</PRE
></FONT
></TD
></TR
></TABLE
>&#13;</P
><P
> </P
><P
>Or, in netfilter lingo:
<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>silom# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128</PRE
></FONT
></TD
></TR
></TABLE
>&#13;</P
><P
>(note: you might have other entries as well)</P
><P
>For more information on setting Squid server please refer
to Squid FAQ page on <A
HREF="http://squid.nlanr.net"
TARGET="_top"
>http://squid.nlanr.net</A
>).</P
><P
>Make sure ip forwarding is enabled on this server and the default
gateway for this server is donmuang router (NOT naret).</P
><P
>&#13;<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>Naret
-----
-setup iptables and iproute2
-disable icmp REDIRECT messages (if needed)</PRE
></FONT
></TD
></TR
></TABLE
>&#13;</P
><P
>&#13;<P
></P
><OL
TYPE="1"
><LI
><P
>"Mark" packets of destination port 80 with value 2
<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>
naret# iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 \
-j MARK --set-mark 2</PRE
></FONT
></TD
></TR
></TABLE
>&#13;</P
></LI
><LI
><P
>Setup iproute2 so it will route packets with "mark" 2 to silom
<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>naret# echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables
naret# ip rule add fwmark 2 table www.out
naret# ip route add default via 10.0.0.2 dev eth0 table www.out
naret# ip route flush cache&#13;</PRE
></FONT
></TD
></TR
></TABLE
>
&#13;</P
><P
>If donmuang and naret is on the same subnet then
naret should not send out icmp REDIRECT messages.
In this case it is, so icmp REDIRECTs has to be
disabled by:
<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>naret# echo 0 &#62; /proc/sys/net/ipv4/conf/all/send_redirects
naret# echo 0 &#62; /proc/sys/net/ipv4/conf/default/send_redirects
naret# echo 0 &#62; /proc/sys/net/ipv4/conf/eth0/send_redirects&#13;</PRE
></FONT
></TD
></TR
></TABLE
>&#13;</P
></LI
></OL
>&#13;</P
><P
>The setup is complete, check the configuration</P
><P
>&#13;<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>On naret:
naret# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- anywhere anywhere tcp dpt:www MARK set 0x2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
naret# ip rule ls
0: from all lookup local
32765: from all fwmark 2 lookup www.out
32766: from all lookup main
32767: from all lookup default
naret# ip route list table www.out
default via 203.114.224.8 dev eth0
naret# ip route
10.0.0.1 dev eth0 scope link
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.1
127.0.0.0/8 dev lo scope link
default via 10.0.0.3 dev eth0
(make sure silom belongs to one of the above lines, in this case
it's the line with 10.0.0.0/24)
|------|
|-DONE-|
|------|
&#13;</PRE
></FONT
></TD
></TR
></TABLE
>&#13;</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN1906"
></A
>15.5.1. Traffic flow diagram after implementation</H2
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>&#13;|-----------------------------------------|
|Traffic flow diagram after implementation|
|-----------------------------------------|
INTERNET
/\
||
\/
-----------------donmuang router---------------------
/\ /\ ||
|| || ||
|| \/ ||
naret silom ||
*destination port 80 traffic=========&#62;(cache) ||
/\ || ||
|| \/ \/
\\===================================kaosarn, RAS, etc.&#13;</PRE
></FONT
></TD
></TR
></TABLE
><P
>Note that the network is asymmetric as there is one extra hop on
general outgoing path.</P
><P
>&#13;<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>Here is run down for packet traversing the network from kaosarn
to and from the Internet.
For web/http traffic:
kaosarn http request-&#62;naret-&#62;silom-&#62;donmuang-&#62;internet
http replies from Internet-&#62;donmuang-&#62;silom-&#62;kaosarn
For non-web/http requests(eg. telnet):
kaosarn outgoing data-&#62;naret-&#62;donmuang-&#62;internet
incoming data from Internet-&#62;donmuang-&#62;kaosarn</PRE
></FONT
></TD
></TR
></TABLE
>&#13;</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="lartc.cookbook.interactive-prio.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="lartc.cookbook.mtu-discovery.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Prioritizing interactive traffic</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="lartc.cookbook.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Circumventing Path MTU Discovery issues with per route MTU settings</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink