Vyatta – Forwarding traffic to Squid

If you are using Vyatta and want to transparently forward traffic at the router level to a separate Squid proxy you will find that the standard firewall configuration in Vyatta just isn’t up to the job (yet!).

The workaround is to use the /etc/rc.local file to make IPTables do the job for you, heres how we did it:

#!/bin/sh -e
# rc.local
# Modified to forward to squid cache
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will “exit 0″ on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# bits.

SQUID=”″      # Internal address of our squid box

# Webcache jump to cache
echo Setting up jump to webcache

# clear any existing entries
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

# Don’t mark webcache traffic
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -s $SQUID
# Internal subnets to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -d     #Don’t cache internal

# External sites to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -d #IP address of site you want to exclude from going to the cache

# Now mark our traffic, we have a number of subnets on virtual interfaces we want to grab, if you aren’t using vifs simply use eth1 or whatever you are using
$IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.102 -p tcp –dport 80
$IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.103 -p tcp –dport 80

# Send the marked traffic to table 2 (you can actaully use whatever table you want, i used 2 because we are using eth2 for the subnet squid is on.
$IP rule add fwmark 3 table 2

# set the default route for table 2, change eth2 for the interface you are on
$IP route add default via $SQUID dev eth2 table 2

# Make sure we exit
exit 0

Author: Ben King

My name is Ben King, I am a director of an Internet solutions company called bit10 ltd. My ultimate responsibility is to bring in the work that bit10 delivers. However I also do a myriad of other things, for example system design, and administration. Outside work I go out, I drink, I socialise, I cook, I have fun, oh and I play a little bit too much World of Warcraft!

9 thoughts on “Vyatta – Forwarding traffic to Squid”

  1. This supossed that squid listen in port 80 in $SQUID (I think), i tryng to do dnat the www packets in vyatta but dont work, i will test your script


  2. This seems to assume a seperate box running squid vs running squid on the vyatta host. The seperate squid box needs to either be listening on port 80 or redirecting to it’s squid port in it’s own IPTABLES configuration. I’m more familiar with configuring DNAT to deal with this by redirecting port 80 access to 3128 on another host. This should be possible from the Vyatta configs I’d imagine. Has anybody tried it with any luck?

  3. Sorry yes I failed to mention that is another nat rule on the squid box itself!

    You need something like:

    $IPTABLES -A PREROUTING -t nat -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

    On the squid box.

    Interestingly the new beta of Vyatta I am currently testing (Islavista), has squid built in, its pretty good but currently is a little restrictive for the more advanced squid tamers of us out there… I am sure though Vyatta as usual will come up with the goods…

  4. Hi Ben,

    Sorry is my question is too stupid, but I have not tried yet your script, but wouldn’t be easier if we redirect to port 3128 directly from Vyatta, something like this, $IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.102 -p tcp –dport 3128?

    I think that I will try your script today.

    Thanks for helping newbie people like me.


  5. Hello Ben, Thank for your tutorial, how if i using same vyatta including squid in one server.
    in your tutorial i see that its for separate squid box, how if same squid box tks

  6. Has anyone tried this on an EdgeRouter LITE? (vyatta under the covers)

    I set this up but it just doesn’t work at all for me. 🙁


Leave a Reply

Your email address will not be published. Required fields are marked *