[squid-users] TProxy Issues from Jamie Orzechowski on 2009-03-05 (squid-users)

From: Jamie Orzechowski <admin_at_ripnet.com>
Date: Thu, 05 Mar 2009 07:57:29 -0500

I am trying to get TProxy setup and running on a Linux based squid box.

I have compiled a custom kernel with the following options (2.6.28.7)

NETFILTER_TPROXY=y
NETFILTER_XT_MATCH_SOCKET=y
NETFILTER_XT_TARGET_TPROXY=y

I have also installed the latest iptables
root_at_cache-01:/var/log/squid3# iptables -V
iptables v1.4.3-rc1

And compiled squid 3.1.0.6

Squid Cache: Version 3.1.0.6
configure options: '--prefix=/usr' '--includedir=/include' '--mandir=/share/man'
'--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking'
'--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline'
'--enable-async-io=32' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for' '--with-filedescriptors=65536'
'--with-default-user=proxy' '--enable-linux-netfilter' --with-squid=/tmp/squid-3.1.0.6
--enable-ltdl-convenience

My NAT Rules are as follows

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t mangle -N DIVERT
/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
/sbin/iptables -t mangle -A DIVERT -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

My Squid config shows

http_port 3128
http_port 3129 tproxy

If I run a dmesg I see it loads the tproxy support

[ 15.339298] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 15.458549] NF_TPROXY: Transparent proxy support initialized, version
4.1.0
[ 15.458552] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
[ 15.510067] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)

A tcpdump shows http traffic hitting the box but nobody it able to surf.

Any ideas what could be wrong??

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=
Jamie Orzechowski - CCNA
RipNET Ltd. System/Network Administrator
Tel.: 613-342-3946 x294
THIS MESSAGE IS INTENDED ONLY FOR THE ADDRESSEE, 
IT MAY CONTAIN PRIVILEGED OR CONFIDENTIAL INFORMATION.  
ANY UNAUTHORIZED DISCLOSURE IS STRICTLY PROHIBITED.  
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, 
PLEASE NOTIFY ME IMMEDIATELY SO THAT I MAY CORRECT MY 
INTERNAL RECORDS.  PLEASE THEN DELETE THE ORIGINAL MESSAGE.
=-=-=-=-=-=-=-=-=-=-=-=-=

Received on Thu Mar 05 2009 - 12:57:38 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 11 2009 - 12:00:02 MDT