Re: [squid-users] TProxy Issues from Amos Jeffries on 2009-03-05 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 06 Mar 2009 02:56:23 +1300

Jamie Orzechowski wrote:
> I am trying to get TProxy setup and running on a Linux based squid box.
>
> I have compiled a custom kernel with the following options (2.6.28.7)
>
> NETFILTER_TPROXY=y
> NETFILTER_XT_MATCH_SOCKET=y
> NETFILTER_XT_TARGET_TPROXY=y
>
> I have also installed the latest iptables
> root_at_cache-01:/var/log/squid3# iptables -V
> iptables v1.4.3-rc1
>
> And compiled squid 3.1.0.6
>
> Squid Cache: Version 3.1.0.6
> configure options: '--prefix=/usr' '--includedir=/include'
> '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=/lib/squid3'
> '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.'
> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
> '--enable-inline' '--enable-async-io=32'
> '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
> '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
> '--enable-icap-client' '--enable-follow-x-forwarded-for'
> '--with-filedescriptors=65536' '--with-default-user=proxy'
> '--enable-linux-netfilter' --with-squid=/tmp/squid-3.1.0.6
> --enable-ltdl-convenience
>
> My NAT Rules are as follows
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> /sbin/iptables -t mangle -N DIVERT
> /sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
> /sbin/iptables -t mangle -A DIVERT -j ACCEPT
> /sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
>
> My Squid config shows
>
> http_port 3128
> http_port 3129 tproxy
>
> If I run a dmesg I see it loads the tproxy support
>
> [ 15.339298] ip_tables: (C) 2000-2006 Netfilter Core Team
> [ 15.458549] NF_TPROXY: Transparent proxy support initialized, version
> 4.1.0
> [ 15.458552] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
> [ 15.510067] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
>
> A tcpdump shows http traffic hitting the box but nobody it able to surf.
>
> Any ideas what could be wrong??
>

Not from what you have said so far. It all looks correct according to
current knowledge.

Have you remembered to set the Squid ACLs to permit the local network
ranges propery?

Is there any trace in the squid logs? and what exactly are the users seeing?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.6

Received on Thu Mar 05 2009 - 13:55:55 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 05 2009 - 12:00:02 MST