Mikrotik - External Squid - Simple Queue
Ini ada sedikit how-to mengenai bagaimana menggunakan External Proxy (Squid) untuk network yang di routing oleh Mikrotik. Ini adalah kumpulan cari-cari dan tanya-tanya salah satunya obrolan dgn Bos Logan di LW.. silahkan feedback dan koreksinya… Permasalahan awal gw adalah, traffic yang berasal dari proxy tidak tercatat sehingga tidak di shape oleh Simple Queue .. Oke, coba dari awal ya .. Semisal ada 2 ethernet di Mikrotik
Code
[tjdykb@mt] > /interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R public ether 0 0 1500
1 R local ether 0 0 1500
dan ada 1 ip publik ke backhaul serta 2 ip local;
Code:
[tjdykb@mt] > /ip ad pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 202.149.69.109/29 202.149.69.104 202.149.69.111 public
1 172.16.5.1/29 172.16.5.0 172.16.5.7 local
2 172.16.9.1/30 172.16.9.0 172.16.9.3 local
Squid Box memiliki IP Address 172.16.9.2..
dan ada dua rule NAT .. pada rule ini dapat dilihat bahwa yang dilewatin ke proxy hanya traffic ke dst-port 80 untuk link International (!iix-ip), iix-ip adalah address-list untuk ip-ip iix .. (sudah pernah ada tutorialnya mengenai hal ini)
Code:
| [tjdykb@mt] > /ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 chain=dstnat in-interface=local src-address=172.16.5.0/29 protocol=tcp dst-port=80 dst-address-list=!iix-ip action=redirect to-ports=3128 1 chain=srcnat out-interface=public src-address-list=pelanggan action=masquerade |
Dimana kita telah mengaktifkan proxy built in pada Mikrotik dengan parent 172.16.9.2 yang squidnya berjalan di port 3128
Code:
[tjdykb@mt] > /ip proxy print
enabled: yes
port: 3128
parent-proxy: 172.16.9.2:3128
maximal-client-connecions: 1000
maximal-server-connectons: 1000
Kemudian Manglenya .. ada address-list pelanggan yang isinya ip yang di nat ..
Code:
[tjdykb@mt] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; IIX-Intl Traffic
chain=prerouting src-address-list=pelanggan action=mark-connection new-connection-mark=Con Mark Semua passthrough=yes
1 chain=prerouting connection-mark=Con Mark Semua src-address-list=pelanggan dst-address-list=!iix-ip action=mark-connection
new-connection-mark=Con Mark Intl passthrough=yes
2 chain=prerouting connection-mark=Con Mark Intl action=mark-packet new-packet-mark=Intl Traffic passthrough=no
3 chain=prerouting connection-mark=Con Mark Semua action=mark-packet new-packet-mark=IIX Traffic passthrough=no
4 chain=output out-interface=local connection-mark=Con Mark Intl action=mark-packet new-packet-mark=Intl Traffic passthrough=no
Ini simple queuenya ..
Code:
[tjdykb@mt] > /queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 name=”mine-intl” target-addresses=172.16.5.0/29 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=Intl Traffic direction=both priority=1
queue=default-small/default-small limit-at=64000/64000 max-limit=64000/64000 burst-time=1m/1m total-queue=default-small
1 name=”mine-IIX” target-addresses=172.16.5.0/29 dst-address=0.0.0.0/0 interface=all parent=none packet-marks=IIX Traffic direction=both priority=1
queue=default-small/default-small limit-at=512000/512000 max-limit=2000000/2000000 burst-time=2m/2m total-queue=default-small
Mangle #0-#3 standar untuk nandain mana traffic intl mana traffic iix, sementara mangle #4 untuk menandakan paket yg berasal dari proxy ke arah local network ,tanpa ini traffic tdk akan tercatat oleh Mikrotik akibatnya tidak terkena shaping, karenanya saya kurang paham .. mohon ditambahin..
Sedikit tambahan ini script iptables di box proxy, jangan lupa di squid.conf dimasukkin acl ip mikrotiknya… (172.16.9.0/30)
Code:
#!/bin/sh
# ————————————————————————————
# See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
# (c) 2006, nixCraft under GNU/GPL v2.0+
# ————————————————————————————-
# squid server IP
SQUID_SERVER=”172.16.9.2″
# Interface connected to Internet
INTERNET=”eth1″
# Interface connected to LAN
LAN_IN=”eth1″
# Squid port
SQUID_PORT=”3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
#iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Demikian How-to nya dari user untuk user < ?xml:namespace prefix = v ns = "urn:schemas-microsoft-com:vml" />
Update mayan penting;
supaya port proxy kita (mikrotik) gak bisa digunakan dari ip-ip yang tidak diperbolehkan gunakan fitur access proxy .. allow (private/allowed ip).. deny all..
Code:
/ ip proxy access
add src-address=202.149.69.xx/29 action=allow comment=”" disabled=no
add src-address=172.16.0.0/16 action=allow comment=”" disabled=no
add action=deny comment=”" disabled=no
