Re: [squid-users] squid transparent proxy loop problem from Denis Vlasenko on 2004-09-20 (squid-users)

From: Denis Vlasenko <vda@dont-contact.us>
Date: Mon, 20 Sep 2004 17:36:39 +0300

On Monday 20 September 2004 17:00, Thomas.Elsaesser@henkel.com wrote:
> Transparent proxy
>
>
> 172.17.248.48 - - [20/Sep/2004:14:51:32 +0200] "GET
> http://www.google.de:8080/ HTTP/1.1" 504 2415 TCP_MISS:NONE
>
> I have this log entry in my transp. proxy .
>
> I believe it's a loop.

Why do you believe it's a loop?
Please show tcpdumps. Loop will be visible on loopback
(tcpdump -nlilo).

> How can i change this??? Have any a solution for me?
> squid listen on port 8080
> _________________________________
>
> iptables v1.2.11
>
> #iptables -t nat -nL
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- 0.0.0.0 0.0.0.0/0 tcp dpt:80 redir ports
> 8080

Put your squid on port 12345, REDIRECT to 12345 intead of 8080.
However I doubt it's a loop, I think REDIRECT never apply to
locally generated packets.

I keep this comment on top of my firewalling scripts:

### filter This is the default table (if no -t option is passed). It contains
### the built-in chains INPUT (for packets coming into the box itself),
### FORWARD (for packets being routed through the box), and OUTPUT (for
### locally-generated packets).
###
### nat This table is consulted when a packet that creates a new connection
### is encountered. It consists of three built-ins: PREROUTING (for
### altering packets as soon as they come in), OUTPUT (for altering
### locally-generated packets before routing), and POSTROUTING (for
### altering packets as they are about to go out).
###
### mangle It had two built-in chains: PREROUTING (for altering incoming
### packets before routing) and OUTPUT (for altering locally-generated
### packets before routing). Recently three other built-in
### chains are added: INPUT (for packets coming into the box
### itself), FORWARD (for altering packets being routed through the
### box), and POSTROUTING (for altering packets as they are about to go
### out).
###
### ...iface... ...iface...
### | ^
### v |
### -mangle,NAT- -mangle,filter- -mangle,NAT--
### |PREROUTING|-->[Routing]-->|FORWARD |-->|POSTROUTING|
### ------------ | ^ --------------- -------------
### | | ^
### | +--if NATed------------+ |
### v | |
### -mangle,filter- -mangle,NAT,filter-
### |INPUT | +->[Routing]->|OUTPUT |
### --------------- | -------------------
### | |
### v |
### ... Local Process...

--
vda

Received on Mon Sep 20 2004 - 12:36:49 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT