Re: [squid-users] multiple gateways

Gert Brits wrote:
> Hi all
>
> Need some help on the following
>
> The company has two internet lines , so there are two gateways on the
> network.
>
> They have one Linux Fedora 3 firewall, with 3 network cards.
>
> ETH0 = internal
> ETH1 = external ( gateway 1 )
> ETH2 = DSL ( gateway 2 )
>
> I need to split the browsing traffic for some people in the company
>
> I have been given 12 ip address, they must use the DSL link ( ETH2 ) and the
> rest must use the EXTERNAL link ( ETH1 )
>
> Please help

Hi

This is not a squid issue, but a routing issue.

Suggest you apply to the LARTC and read the advance routing howto

In the mean time, here is my routing script.
==============================================================

ip route flush table DSL >>/dev/null
ip route show table main | grep -Ev ^default\
   | while read ROUTE ; do
     ip route add table DSL $ROUTE
  done

## Add the ADSL as route to route table DSL

ip route add default via 192.168.10.200 dev eth2 table DSL >>/dev/null

## Add the route to table DSL

ip rule add fwmark 1 table DSL >> /dev/null
=============================================================

Here part of my rule set:
#!/bin/sh -

IPT=/sbin/iptables

# Rules for gateway

echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo 0 > /proc/sys/net/ipv4/ip_forward

#Clear \ Flush all the rules from the different chains and tables

$IPT --flush
$IPT --flush INPUT #Flush the INPUT chain
$IPT --flush OUTPUT #Flush the OUTPUT chain
$IPT --flush FORWARD #Flush the FORWARD chain
$IPT -t nat --flush #Flush the nat table
$IPT -t mangle --flush #Flush the mangle table
$IPT --delete-chain #Delete any pre-existing chains
$IPT -t nat --delete-chain #Delete any pre-existing chains from nat table
$IPT -t mangle --delete-chain #Delete any pre-existing chains from the mangle table

#Setting the default Policies for the chains
$IPT --policy INPUT DROP #Setting the default policy for INPUT chain
$IPT --policy FORWARD DROP #Setting the default plicy for FORWARD chain
$IPT --policy OUTPUT DROP #Setting the default policy for the OUTPUT chain

#Setting Nat and mangle to default policy ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT

#Accepting traffic for and to internal interface
$IPT -A INPUT -i lo -j ACCEPT #Allowing unlimited loopback traffic
$IPT -A OUTPUT -o lo -j ACCEPT #Allowing unlimited loopback traffic

# SNAT the Private LAN
$IPT -t nat -A POSTROUTING -o eth0 -s 192.168.111.0/24 -j SNAT --to $EXTERNALIPFORETH0
$IPT -t nat -A POSTROUTING -o eth2 -s 192.168.111.0/24 -j SNAT --to $EXTERNALIPFORETH2

$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# TO ALLOW ALL HTTP TRAFFIC OUT ETH2
$IPT -t filter -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state NEW -j ACCEPT

you need to switch off the rp_filter.

HTH

Kind Regards
Brent Clark
Received on Tue Jan 24 2006 - 03:12:28 MST