Link to home
Create AccountLog in
Avatar of astronot79
astronot79

asked on

Squid Out a Different Gateway

I have a centos server acting as a squid proxy and vsftpd server.  I would like almost all traffic to/from the server (including ftp traffic) going through gateway-a.  I'd like squid to go out gateway-b.

What is the easiest way to do this?
Avatar of Arty K
Arty K
Flag of Kazakhstan image

> have a centos server acting as a squid proxy and vsftpd server

how many external IP's and NICs it's using?

> I would like almost all traffic to/from the server (including ftp traffic) going through gateway-a.

Are they (gateway-a and b) in the same subnet?

> I would like almost all traffic to/from the server (including ftp traffic) going through gateway-a

Is your centos also a router (so it might choose which gateway to use)? If not, what is your router, that have connections to both gateways?
Do you have two public IPs ..so that incoming traffic comes from two different ISPs ?

If so set each of the two daemons to listen to the public IP respectively. As for the outgoing traffic of the daemons you can setup routing rules to send specific traffic out a specific gw.

As nopius said more info is needed.
Avatar of astronot79
astronot79

ASKER

Single NIC, single internal IP, two public IPs (one static, one dynamic) assigned to NAT firewalls. Both gateways are on the same subnet.  No, the centos box isn't a router.  The routing to each gateway is done with classless static routes for our dhcp clients.  All devices with static IPs are routing out gateway-a intentionally.
> No, the centos box isn't a router.
Does the router run linux?
Does the squid box acts only as web proxy? Can it be identified by IP only on the router? So every packet with source of squidbox can fly through the gateway-b?
There is no router sitting between the two gateways and the lan.  The centos box *can* route; I have static routes set up to pass traffic on specific subnets out a specific gateway.  

If I can set a route on the centos box to route traffic from squid to a specific gateway, it would probably work - but I don't know how to do this.  It would also work if I could route all packets on port 80 to a specific gateway.  This configuration would have to be done in the centos box to route itself basically.
You can do routing based on source (instead of destination only)
http://www.wlug.org.nz/SourceBasedRouting
Ask, If You need more help.
Here's a very quick and dirty map of where I'm trying to go:
map.jpg
And to have full image, the cento box have some services that should go through gw-a, but squid should hit gw-b?

Is it possible go give the centos box two IPs?
Then configure squid.conf with
tcp_outgoing_address the.secondary.ip

Then just two commands should do

/sbin/ip rule add from secondary.ip table 101 pref 101 # use alternative routing table for packets originating from
/sbin/ip route add default via 10.0.0.2 dev eth0 table 101 # and give the alternative routing table another gateway
In this scenario, the box can only have one ip.
SOLUTION
Avatar of ravenpl
ravenpl
Flag of Poland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
one more comment, in such configuration even DNS requests from 'squid' user will go to gateway B
The primary DNS server is inside, and there's a static route in place to keep the inside traffic out of the gateway.  Would this override that route?
> Would this override that route?

No, local traffic is not routed with 'default' route.