21 « August « 2009 « Örestad-Linux

Archive for August 21st, 2009

3 Line ISP connection using iproute2

Friday, August 21st, 2009

Hi, it’s Sami again, this time we will be setting up a 3 line ISP connection on our squid server.
This is intended for static routing only. We are working on setting it up dynamically.
As usual we will be using debian 5 (Lenny). Although this is not a fresh install! We are continuing our squid install for SSWC.

First of all install iproute2 since it is not in base.
apt-get install iproute2

Now we need a script to setup our routes.

First of all we will add the routing tables that we use.
echo "1 First_eth1" >> /etc/iproute2/rt_tables echo "2 Second_eth2" >> /etc/iproute2/rt_tables echo "3 Third_eth3" >> /etc/iproute2/rt_tables

Variables
P0_NET=192.168.1.0 P1_NET=192.168.16.0 P2_NET=192.168.67.0 P3_NET=192.168.40.0P1=192.168.16.1 P2=192.168.67.1 P3=192.168.40.1IF0=eth0 IF1=eth1 IF2=eth2 IF3=eth3IP0=192.168.1.1 IP1=192.168.16.114 IP2=192.168.67.2 IP3=192.168.40.2T1=First_eth1 T2=Second_eth2 T3=Third_eth3
Adding routes
ip route add $P1_NET dev $IF1 src $IP1 table $T1 ip route add default via $P1 table $T1 ip route add $P1_NET dev $IF1 src $IP1ip route add $P2_NET dev $IF2 src $IP2 table $T2 ip route add default via $P2 table $T2 ip route add $P2_NET dev $IF2 src $IP2ip route add $P3_NET dev $IF3 src $IP3 table $T3 ip route add default via $P3 table $T3 ip route add $P3_NET dev $IF3 src $IP3
Adding rules
ip rule add from $IP1 table $T1 ip rule add from $IP2 table $T2 ip rule add from $IP3 table $T3ip route add $P0_NET dev $IF0 table $T2 ip route add $P1_NET dev $IF1 table $T2 ip route add 127.0.0.0/8 dev lo table $T2ip route add $P0_NET dev $IF0 table $T3 ip route add $P2_NET dev $IF2 table $T3 ip route add 127.0.0.0/8 dev lo table $T3ip route add $P0_NET dev $IF0 table $T1 ip route add $P3_NET dev $IF3 table $T1 ip route add 127.0.0.0/8 dev lo table $T1
Adding nexthops and weight.
ip route add default scope global \ nexthop via $P1 dev $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 1 \ nexthop via $P3 dev $IF3 weight 1

We had a lot of problems with this.
Just remember one important thing!
Running this with all eth{1,2,3} on the same network with the same gateway will NOT work.
Our gateway actually mixed up all of our interfaces and added the MAC address for eth1 to eth2 and eth3 in the arp table.

iptables is also needed for this configuration.
Something like this.
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth3 -m state --state ESTABLISHED,RELATED -j ACCEPT
Adding some masquerading.
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE iptables --table nat --append POSTROUTING --out-interface eth3 -j MASQUERADE

Tags: iproute, iproute2, iptables, multiple connections, routing
Posted in Uncategorized | 1 Comment »

Transparent proxy running cache on ramdisk.

Friday, August 21st, 2009

Hi my name is Sami.
This is my first blog post so it might not make sense at all to some.

We wanted to run a transparent proxy for the SSWC event here in Sweden.
What we ended up with was pretty nice actually.

So, we started with installing squid and dhcp3-server on a new machine.
We are using a fresh install of debian 5 (Lenny).

apt-get install dhcp3-server apt-get install squid

I wont go through how to setup dhcp-server. We just set the scope for 192.168.1.0/24 net.
Now that we have the squid installed we need to configure it.

As they say, the default configuration in squid will take you very far.

What our configuration does is the following:
Transparency:
http_port 8080 transparent
YouTube caching for videos:
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private quick_abort_min -1 KB maximum_object_size 4 GB acl youtube dstdomain .youtube.com icp_access allow youtube cache allow youtube
Ramdisk caching:
Since some 2.4 and all 2.6 there is a tmpfs driver that uses ramdisk.
Although you might want to setup some boot options like; when you reboot your memory will be cleaned out.
So our squid directory will no longer exist and the permissions will be gone aswell.
cache_dir aufs /dev/shm/squid 1014 16 256
Caching webdata:
cache allow all

Even though http_port 8080 transparent is set that is not enough.
Out server must intercept all port 80 connections and redirect them to :8080 on the squid server.
This is easily done with iptables.
iptables -t nat -A PREROUTING -i 192.168.1.1 -p tcp --dport 80 -j REDIRECT --to-port 8080
This is all that is needed for the squid.

Tags: cache, proxy, squid, transparent
Posted in Uncategorized | No Comments »

M	T	W	T	F	S	S
				Sep »
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

Örestad-Linux

Archive for August 21st, 2009

3 Line ISP connection using iproute2

Transparent proxy running cache on ramdisk.

Länkar

Projekt

Recent Posts

Archives

Örestad Linux tweets