switching to squid automatically in case of isa2000 failure

General discussion about PLUC and Linux in Pakistan.

switching to squid automatically in case of isa2000 failure

Postby turab » Fri Dec 16, 2005 4:28 pm

Salam,
I have 2 proxy servers
isa 2000 having ip 10.1.28.126
squid having ip 10.1.28.94

please tell me what additional setting should i do in order to divert all my clients automatically to squid proxy in case of isa failure.


Thanks in advance.
turab
Company Havaldaar Major
 
Posts: 154
Joined: Thu Dec 15, 2005 3:36 pm
WLM: iba_lookz@hotmail.com
Yahoo Messenger: turabali@yahoo.com

Re

Postby syedali999 » Fri Dec 16, 2005 5:00 pm

Hi,
if i was the same situation then i can accomplished this scenario with two methods....

1)-
shutdown / change ip of the isa & configure squid with the ip of the isa.

*but i think u need automatic so it is not suitable for you.

2)-
established a firewall between clients n servers.
a little scripting needed which surely ping to test wether the server is on or not. if it doesn't get response from ISA then it automatically flush iptables and creates new rules which forwards request to squid.

the scenario will be something like that :
first it pings www.yahoo.com through ISA. if it doesnt response it seems that there should be a link problem or ISA SERVER is down.
it immediately flush iptables rules (if u use iptables as firewall) which was configured as to forward request to ISA.
and set new rules to forward request to SQUID instead if ISA SERVER.


however, one more thing in this scenario. your script must be run after ever 5 or whatsoever minutes to check the link. it is easy with crontab

the fun part is scripting.

its just my concepts. may be there are some other way to do this. but it will be my procedure if i have to set it up. you can just wait for seniors to pass their remarks on my way or to give you another way.

i m waiting for more response, too...
syedali999
Battalion Havaldaar Major
 
Posts: 252
Joined: Sun May 29, 2005 1:45 am
Website: http://www.wol.net.pk
WLM: alirizvi@khi.wol.net.pk
Location: Karachi

Postby azfar » Sat Dec 17, 2005 11:51 am

pinging external host is not a good idea cauze most of time in cablenet are in bottle neck condition hence ping wont respond you in that case. you should ping any IP on your ISP end this should respond you any time if the WAN connection is established.
Azfar Hashmi
Email : azfarhashmi@hotmail.com
azfar
Captain
 
Posts: 598
Joined: Tue Mar 23, 2004 1:16 am
WLM: azfarhashmi@hotmail.com
Yahoo Messenger: azfarhusain@yahoo.com
Location: Karachi

Reverse proxy

Postby turab » Sat Dec 17, 2005 1:24 pm

Salam,
Is it possible to do it by using reverse proxy?
if yes then please tell me the steps

Thanks in advance.

Regards,
Turab
turab
Company Havaldaar Major
 
Posts: 154
Joined: Thu Dec 15, 2005 3:36 pm
WLM: iba_lookz@hotmail.com
Yahoo Messenger: turabali@yahoo.com

Postby crazy_frog » Mon Dec 19, 2005 8:56 am

Dear syedali999,

I have no knowledge in scripting language but I am suffering with the same scenario and problems. I would be thankful if you could giv us some detailed solution or scripts which could help us in this regard.

Thank You !!
Hâve á nice day !!
crazy_frog
Naik
 
Posts: 72
Joined: Fri Dec 16, 2005 9:44 am
WLM: klean_soul@yahoo.com
Yahoo Messenger: klean_soul@yahoo.com
Location: Karachi, Pakistan

Postby syedali999 » Mon Dec 19, 2005 6:15 pm

crazy_frog wrote:Dear syedali999,

I have no knowledge in scripting language but I am suffering with the same scenario and problems. I would be thankful if you could giv us some detailed solution or scripts which could help us in this regard.

Thank You !!


as far i dont have linux installed currently. and i am not a bash programmer. you can create your own if you know iptables syntax and bash commands. i can just help you at starting but you can take help with Linux Phreak. he has very excellent Scripting Skills & after all my teacher. may be when he comes to that post he will automatically help you...
or in case of emergency you can send him msg.

oh by the way let's revice some thing.

first create a file (filename : checkconn) :

touch checkconn

Edit File To enter codes :

vi checkconn

Codes (not sure it is correct or not but just examples) :

#check ping
$ping = /bin/ping
$ping <your destination ip address>

#check response & Resume or change route :
i dont know how but it can be done by Conditional Expression. e.g : if estatement.

Theory :

If Ping Response = yes then dont do any thing just exit
exit 0
Else
Iptables -f Flush
and so on...
fi


#Save File :
Press ":" then write "write" an press enter.
again press ":" then write "exit" and press enter.

make the file executive by :
chmod u+x checkconn

and then start your crontab editing by :
crontab -e

and place your scripts here to automatically run your script after every 5 minutes.

That's the main concept which i think and according to my knowledge...

i will only recommend you to contact Linux Phreak. he is really a phreak and very help you....

Thanks,

S. Rizvi

===============================
Customer Support Executive
Customer Support Department
World Online (TM)
E-mail: alirizvi@khi.wol.net.pk
================================
syedali999
Battalion Havaldaar Major
 
Posts: 252
Joined: Sun May 29, 2005 1:45 am
Website: http://www.wol.net.pk
WLM: alirizvi@khi.wol.net.pk
Location: Karachi

Postby syedali999 » Mon Dec 19, 2005 9:28 pm

Code: Select all

#!/bin/sh

while sleep 60
do
  for ip in 123.123.123.123 111.111.111.111
  do
    if ping -c 1 -t 2 $ip >/dev/null
    then
      echo "$ip ok"
    else
      echo "$ip dropped one"
      sleep 10
      if ! ping -c 1 -t 2 $ip >/dev/null
      then
        echo "$ip dropped two, Changing Route"
        echo could not ping $ip
         iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
        echo "Route Changed Successfully"
      fi
    fi
  done
done 2>&1


I Think it should perfectly work.
This is the address of the real script & then changed by me for your need.

as i mentioned above i m not a bash programmer. i m a VB Programmer and only edit this script according to theme & Logics.
i will try it myself too.
and should not be run in any critical environment.
suggestion & Correction will be appreciated.

Thanks,

S. Rizvi

===============================
Customer Support Executive
Customer Support Department
World Online (TM)
E-mail: alirizvi@khi.wol.net.pk
================================
syedali999
Battalion Havaldaar Major
 
Posts: 252
Joined: Sun May 29, 2005 1:45 am
Website: http://www.wol.net.pk
WLM: alirizvi@khi.wol.net.pk
Location: Karachi

Postby crazy_frog » Mon Dec 19, 2005 11:19 pm

Dear syedali999,

You have been a great help to me. Thank you for your help. I will try your script and see whether it works or not. I will get back to you for further help if needed. 8)
Hâve á nice day !!
crazy_frog
Naik
 
Posts: 72
Joined: Fri Dec 16, 2005 9:44 am
WLM: klean_soul@yahoo.com
Yahoo Messenger: klean_soul@yahoo.com
Location: Karachi, Pakistan

Re:

Postby LinuxFreaK » Tue Dec 20, 2005 9:09 am

Dear syedali999,
Salam,

syedali999 wrote:

Code: Select all

#!/bin/sh

while sleep 60
do
  for ip in 123.123.123.123 111.111.111.111
  do
    if ping -c 1 -t 2 $ip >/dev/null
    then
      echo "$ip ok"
    else
      echo "$ip dropped one"
      sleep 10
      if ! ping -c 1 -t 2 $ip >/dev/null
      then
        echo "$ip dropped two, Changing Route"
        echo could not ping $ip
         iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
        echo "Route Changed Successfully"
      fi
    fi
  done
done 2>&1


There is mistake in your script. If 2nd IP is not pinging then it should try to ping 1st IP and if got response then change route to 1st IP other wise do nothing because its Network Failure :) and BTW it does not change route ;)

# man route

BTW is there any difference in this command.

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Re:

Postby syedali999 » Tue Dec 20, 2005 7:12 pm

LinuxFreaK wrote:Dear syedali999,
Salam,
There is mistake in your script. If 2nd IP is not pinging then it should try to ping 1st IP and if got response then change route to 1st IP other wise do nothing because its Network Failure :) and BTW it does not change route ;)

# man route

BTW is there any difference in this command.

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Best Regards.


Hi Farrukh,
Nice to see you. i was really waiting for you to check this script.
as i mention earlier to contact you.
hmm....
i was not trying to change route. i was trying to redirect packets to squid through iptables.

let's gave you a theory so you can help us.

the scenario is something like this :

client -> Firewall (i assume squid is here) ->ISA ->ISP ->IP ADDRESS

if isa server is up then firewall dont redirect packets to local system on port 3128 to squid. it redirect packets to ISA server. that's all.
(this setting must be done manually)

now let's say, squid has also a modem and connection with Internet.
if ISA Server goes down for any reason and the script can't get ping response. then it will flush iptables rules & create new rules which forward request to local system and squid proxied it through modem to Internet.




first i try to ping both primary & secondary dns server on the same ISP (if they allow). i ping both coz may be the primary server could be down. and if it got response then it exits the script.

otherwise it again tries. and if again failes then it will do what i said above.

whenever ISA become available you can run another script which again flushes the rules and set new rules to redirects all packets to ISA.

may be i misunderstood, or i m unable to tell you what is my concept.
but as u seen above i mention it that i m not aware to bash very well...
and the there is also a theoritical concept of the script mentioned above.



S. Rizvi
====================
Customer Support Executive
Customer Support Department
World Online(TM)
Cybersoft Technologies Inc.
====================
syedali999
Battalion Havaldaar Major
 
Posts: 252
Joined: Sun May 29, 2005 1:45 am
Website: http://www.wol.net.pk
WLM: alirizvi@khi.wol.net.pk
Location: Karachi

hi

Postby syedali999 » Tue Dec 20, 2005 7:42 pm

Hi Farrukh,
Sorry, mistakenly echo "Route changed" :oops:
It just for confirm you that iptables has been flushed and new rules are set up successfully.
syedali999
Battalion Havaldaar Major
 
Posts: 252
Joined: Sun May 29, 2005 1:45 am
Website: http://www.wol.net.pk
WLM: alirizvi@khi.wol.net.pk
Location: Karachi

Re:

Postby LinuxFreaK » Wed Dec 21, 2005 9:31 am

Dear syedali999,
Salam,

Sorry, mistakenly echo "Route changed" Embarassed :oops: It just for confirm you that iptables has been flushed and new rules are set up successfully.


I have not seen flush rules in your script.

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Re:

Postby syedali999 » Wed Dec 21, 2005 4:38 pm

LinuxFreaK wrote:Dear syedali999,
Salam,

Sorry, mistakenly echo "Route changed" Embarassed :oops: It just for confirm you that iptables has been flushed and new rules are set up successfully.


I have not seen flush rules in your script.

Best Regards.


Oh My Dear,
it is just a theory he can add as many rules he wants. may be he wants to add shutdown -h now :lol:
syedali999
Battalion Havaldaar Major
 
Posts: 252
Joined: Sun May 29, 2005 1:45 am
Website: http://www.wol.net.pk
WLM: alirizvi@khi.wol.net.pk
Location: Karachi

Postby crazy_frog » Wed Dec 21, 2005 5:09 pm

:lol: no shutdowns yet ....

anyways what would you suggest LinuxFreak .... How it should be done ? ... How to flush the entries?

Thank You.
Hâve á nice day !!
crazy_frog
Naik
 
Posts: 72
Joined: Fri Dec 16, 2005 9:44 am
WLM: klean_soul@yahoo.com
Yahoo Messenger: klean_soul@yahoo.com
Location: Karachi, Pakistan

Re:

Postby LinuxFreaK » Wed Dec 21, 2005 9:48 pm

Dear crazy_frog,
Salam,

crazy_frog wrote::lol: no shutdowns yet ....

anyways what would you suggest LinuxFreak .... How it should be done ? ... How to flush the entries?


To Flush

# iptables -F

To Removed User Defined Chains.

# iptables -X

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi


Return to “%s” General

Who is online

Users browsing this forum: No registered users and 1 guest