Re: [squid-users] Transparent Proxy stops working after time (fixed) from E Roberts on 2004-03-25 (squid-users)

From: E Roberts <eroberts-squid@dont-contact.us>
Date: Thu, 25 Mar 2004 14:17:00 -0500

After some looking around thanks to Denis I found the exact problem on the
netfilter bugzilla list. Here is the link to the exact bug if anyone else
has this problem now or in the future. Thank you for your help.

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=56

On Thu, 25 Mar 2004 16:35:24 +0200, Denis Vlasenko
<vda@port.imtp.ilyichevsk.odessa.ua> wrote:

> On Thursday 25 March 2004 08:44, E Roberts wrote:
>> I have come across a strange problem, after what could be days, hours or
>> even 10 minutes my transparent proxy will just stop working. I have
>> tried
>
> tcpdump of this? What _exactly_ is not happening anymore?
>
>> to restart squid, flush and reset my firewall rules, restart NoCatAuth,
>> and in the end the only thing that will get this working again is a full
>> reboot.
>
>> The setup I'm using is this:
>>
>> Slackware linux
>> kernel 2.4.20
>
> There are bugs in 2.4.20 iptables. Upgrade to latest and retest.
>
>> Squid 2.5.STABLE4
>> iptables v1.2.8
>>
>> My firewall rules seam to be unchanged when this takes effect, here is
>> the
>> part for the transparent proxy:
>>
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> REDIRECT tcp -- 192.168.0.0/16 <ip removed> MARK match
>> 0x4
>> tcp dpt:http redir ports 8080
>> REDIRECT tcp -- 192.168.0.0/16 anywhere MARK match
>> 0x3
>> tcp dpt:http redir ports 8080
>> REDIRECT tcp -- 192.168.0.0/16 anywhere MARK match
>> 0x2
>> tcp dpt:http redir ports 8080
>> REDIRECT tcp -- 192.168.0.0/16 anywhere MARK match
>> 0x1
>> tcp dpt:http redir ports 8080
>> ACCEPT all -- 10.0.0.0/8 anywhere
>> ACCEPT all -- 1.0.0.0/8 anywhere
>> NoCat_Capture all -- anywhere anywhere
>> DROP tcp -- !localhost anywhere tcp dpt:8080
>>
>> What is strange is that the sibling proxys are still able to use this as
>> their parent, and if you connect to port 8080 directly it will work (of
>> course this is with out the above DROP being in the rules).
>>
>> I figure this might be an IPtables issue but hope to see if anyone has
>> had
>> this issue or could point me in the correct location.
>>
>> Regards
> --
> vda
>
>
Received on Thu Mar 25 2004 - 12:16:50 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:03 MST