iptables - package marking with redirect to squid

1

I have a load-balanced firewall by marking packets and a squid together.

I'm marking the packages so that my two links are used (gvt and OI)

then link1 = gvt and link2 = OI

It already works in parts, I managed to direct some ports to link2 like this:

iptables -t mangle -A PREROUTING -m iprange --src-range 192.168.1.2-192.168.1.199   -i eth2 -p tcp -m multiport --dport 25,80,3128,443,587,5938  -j MARK --set-mark 2

I tested it and it came out through link 2, minus port 80, this did not go through link 2. because below this rule I have the rule that redirects to squid like this:

iptables -t nat -A PREROUTING -s 192.168.1.0/255.255.255.0  -p tcp --dport 80 -j REDIRECT --to-port 3128

Even marking the packets of port 3128 and 80 they continue to exit through link 1.

I think this rule ends up unchecking the package, or something like that, can anyone help me adjust this rule or add another one to solve?

    
asked by anonymous 05.08.2015 / 20:51

1 answer

2

Redirecting port 80 to squid (transparent proxy) means that the packets are being intercepted in the firewall and who actually requests http and squid itself. Therefore, the mangle rule will not apply in this situation, since it is a rule that applies only to packets PASSING through the firewall (i.e. packets from the internal network and directed to the internet). What you need is a rule that marks the packets provided by the firewall (i.e. from the squid running on the firewall). Something like:

iptables -t mangle -A OUTPUT -p tcp -m tcp! -d 192.168.0.0/16 --port 80 -j MARK --set-mark 2

Note that "! -d 192.168.0.0/16" is important to prevent squid connections to an INTERNAL web server from being redirected (erroneously) to the internet. The above rule will apply, therefore, only to connections coming from the firewall with target port 80.

    
06.08.2015 / 02:06