[squid-users] iptables setup for tcp_outgoing_address

Eliezer Croitoru eliezer at ngtech.co.il
Mon Jul 9 21:37:57 UTC 2018


Just to make sure things are understood.

There is one big difference between windows and Linux handling connections and traffic.

Linux can accept traffic on a specific interface but route the outgoing packet via another interface.

It’s a feature of the Linux Routing and Networking Kernel stack.

Sometimes it can bite the admin/user and while on windows the connection(TCP) will always be routed or
put into the right cable in Linux you need a little be connection marking, mangling and routing marking to make sure that
the traffic will be passed to the right gateway.

 

It’s a bit hard to understand what happens currently on your system.

 

All The Bests,

Eliezer

 

----

 <http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



 

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of davidjesse091 at aol.com
Sent: Saturday, June 16, 2018 7:16 AM
To: rousskov at measurement-factory.com; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] iptables setup for tcp_outgoing_address

 

I tried curl --interface 172.16.11.107  <http://www.example.com/> http://www.example.com yesterday and it worked fine, but now it looks like it does not work. Just hangs forever. So there is an issue there for sure. I will try to find out why it's not working.



-----Original Message-----
From: Alex Rousskov <rousskov at measurement-factory.com <mailto:rousskov at measurement-factory.com> >
To: davidjesse091 <davidjesse091 at aol.com <mailto:davidjesse091 at aol.com> >; squid-users <squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org> >
Sent: Fri, Jun 15, 2018 11:43 pm
Subject: Re: [squid-users] iptables setup for tcp_outgoing_address

On 06/15/2018 05:12 PM, davidjesse091 at aol.com <mailto:davidjesse091 at aol.com>  wrote:

> if I use another interface's IP address
> for tcp_outgoing_address on my Linux machine then web pages don't load.

Does using "another interface" IP address work with curl or wget
executed on the Squid Linux box?

curl --interface 172.16.11.107 http://www.example.com
wget --bind-address=172.16.11.107 http://www.example.com


Alex.


> -----Original Message-----
> From: Alex Rousskov <rousskov at measurement-factory.com <mailto:rousskov at measurement-factory.com> >
> To: davidjesse091 <davidjesse091 at aol.com <mailto:davidjesse091 at aol.com> >; squid-users
> <squid-users at lists.squid <mailto:users at lists.squid> -cache.org>
> Sent: Fri, Jun 15, 2018 7:01 pm
> Subject: Re: [squid-users] iptables setup for tcp_outgoing_address
> 
> On 06/15/2018 04:42 PM, davidjesse091 at aol.com <mailto:davidjesse091 at aol.com> 
> <mailto:davidjesse091 at aol.com <mailto:davidjesse091 at aol.com?> > wrote:
> 
>> I want to connect to Squid proxy using 192.168.1.212 and if I am
>> connecting using port 11000,
> 
> I assume you meant "connecting to port 11000" (there is also the client
> source port, but it should not matter here).
> 
> 
>> I want squid to have the traffic go out of the 172.16.11.107 IP
> 
> 
>> http_port 11000 name=port_11000
>> acl port_11000_acl myportname port_11000
>> tcp_outgoing_address 172.16.11.107 port_11000_acl
> 
> Looks good to me, provided all your outgoing traffic goes to IPv4
> addresses (no IPv6).
> 
> 
>> What would I need to do with iptables to make this work?
> 
> Why do you think you need iptables? What does not work if you do not use
> IP tables?
> 
> 
> Alex.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180710/2d93eb72/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 11307 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180710/2d93eb72/attachment-0001.png>


More information about the squid-users mailing list