0

MI have two interfaces on an ipcop machine, eth1 (public) and eth0 (local LAN). Transparent SQUID is listening and caching on eth0, and all traffic is routed from there across eth1 for public web access. As the eth1 is getting too slow, I want to split certain endpoint traffic via different DSL gateways.

Current eth0 is 192.168.1.1, eth1 is dynamic.

I've created eth0:0 as 192.168.50.1 and have set SQUID's tcp_outgoing_connection to 192.168.50.1. The DSL router IP is 192.168.50.250.

I've added the route for 192.168.50.0/24 to be 192.168.50.250.

I can ping external servers via this route, but don't get any traffic back via squid (I can see the connection outgoing from 192.168.50.1:800 to 192.68.50.250 but it stops there).

On eth0 all traffic is allowed across the eth0-network.

What am I missing? What iptables / route settings must I change? Do I need postroute masquerading?

Using a desktop machine, I can browse at will with 192.168.50.250 as my gateway.

I can't use iproute2 or any of those options...

Help?

Y.P.
  • 1
  • 1

1 Answers1

2

Basically, you'll need iproute2 functionality since what you are doing is source-based routing:

echo 1 squid >> /etc/iproute2/rt_tables
ip route add default 192.168.50.250 table squid
ip rule add from 192.168.50.1 lookup squid

Apparently the ipcop kernel is built without the FWMARK featureset, so this won't work for you. There also has been a "ROUTE" target for iptables once in patch-o-matic which could do the same, but I believe its development has been abandoned as the behavior is redundant and the functionality is inferior to iproute2. I also don't think it has been included with recent ipcop's releases - you would have to compile it itself and add it to your ipcop installation.

A quick search turned up a precompiled version for an outdated 1.4.15 version of ipcop (probably won't work with more recent versions, but you can give it a try) - there might be more recent builds, you should ask on the ipcop mailing lists or forums if you don't want to compile it yourself.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • Thanks, syneticon-dj! I just copy the precompiled version to /lib/modules/2.4.36/kernel/net/ipv4/netfilter right? Any iptables rules I need to add (I'll see if I can bake a more up-to-date ipt_ROUTE.o.gz)? – Y.P. Sep 22 '11 at 12:31
  • I do not know where the iptables modules would be located with ipcop, but the directory you state is a commonly used destination. If it is there in your installation and contains other netfilter target module files, then this is the right place. You would obviously need something like `iptables -t mangle -A PREROUTING -s 192.168.50.1 -j ROUTE --gw 192.168.50.250` in place for it to work. – the-wabbit Sep 22 '11 at 14:33