I want to implement a policy based routing rule that redirects all traffic recieved on certain TCP ports. So for example redirect port 80 to our internal squid proxy, that is running in transparent mode listening on port 80. I've had a play with attempting to do this with a rule using a specific gateway, and a server pool without success.
Is this possible, and if so how do I accomplish it?
I've just tried sticking the proxy on an OPT interface, and setting the proxy IP address as the gateway in a load balancer and creating a policy rule to redirect to it.
Only problem was the firewall didn't seem to accept traffic coming back from the gateway - the proxy could no longer get out onto the internet. Doh!
Set up a load balancer pool using your internal squid proxy as a "gateway".
Set up a LAN rule that redirects all port 80 TCP traffic whose source is NOT the squid proxy to the squid load balancer pool.
Myself, with dual WAN connections, have another rule that redirects port 80 traffic from my web proxy out through a failover pool.
My squid proxy, running linux, has an iptables rule that redirects the web requests from internal IP addresses to port 8080 that squid is listening on. I can't recall if you can get it to work transparently if you have it listening on port 80. My rule is:
iptables -t nat -A PREROUTING -i eth0 -d ! <proxy ip="" address="">-p tcp –dport 80 -j REDIRECT --to-ports 8080</proxy>
Well… I created a Load Balancer with the squid proxy as a server entry. I set a LAN rule up so that only traffic from my PC IP address on TCP port 80 uses the balancer pool previously created. Nothing happened.
With a gateway load balancer pool, you can only select interfaces, not servers?
OK, I managed to set up the Load Balancer rule by manually editing the config.xml. According to my packet sniffer the HTTP traffic is now being redirected to my internal squid proxy server. Just can't get the transparent proxy working on port 80 as you said. Will have to play with getting it to run on another port and setting up ipfilter. Just gotta remember how to do that under solaris ;)
All working :)
For anyone that is interested:
I configured a Load Balancing Gateway pool, set up with any interface and a monitor IP of the proxy server.
I edited config.xml, and changed the interface in the pool above to the IP address of the proxy server. Reupload if edited offline, just reboot if edited on the server.
Configure squid to run transparently on a port other than 80. I chose 3128 (the default) "http_port 192.168.10.246:3128 transparent" in Squid 2.6.
Configure a NAT rule to redirect requests on port 80 to the port you chose above. dwadson post a linux rule below, under Solaris I used:
rdr bge0 0.0.0.0/0 port 80 -> 192.168.10.246 port 3128
Start Squid and enjoy :)