Jamie Orzechowski wrote:
> I went from a standard transparent setup to tproxy. Everything works
> fine with the old transparent method so my ACL's are working. My
> customers are seeing nothing. No squid errors on their browsers just
> timesout ... my access log does not not grow.
> Amos Jeffries wrote:
>> Jamie Orzechowski wrote:
>>> I am trying to get TProxy setup and running on a Linux based squid box.
>>>
>>> I have compiled a custom kernel with the following options (2.6.28.7)
>>>
>>> NETFILTER_TPROXY=y
>>> NETFILTER_XT_MATCH_SOCKET=y
>>> NETFILTER_XT_TARGET_TPROXY=y
>>>
>>> I have also installed the latest iptables
>>> root_at_cache-01:/var/log/squid3# iptables -V
>>> iptables v1.4.3-rc1
>>>
>>> And compiled squid 3.1.0.6
>>>
>>> Squid Cache: Version 3.1.0.6
>>> configure options: '--prefix=/usr' '--includedir=/include'
>>> '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
>>> '--localstatedir=/var' '--libexecdir=/lib/squid3'
>>> '--disable-maintainer-mode' '--disable-dependency-tracking'
>>> '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
>>> '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
>>> '--enable-inline' '--enable-async-io=32'
>>> '--enable-storeio=ufs,aufs,diskd'
>>> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
>>> '--enable-cache-digests' '--enable-underscores'
>>> '--enable-icap-client' '--enable-follow-x-forwarded-for'
>>> '--with-filedescriptors=65536' '--with-default-user=proxy'
>>> '--enable-linux-netfilter' --with-squid=/tmp/squid-3.1.0.6
>>> --enable-ltdl-convenience
>>>
>>> My NAT Rules are as follows
>>>
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>> /sbin/iptables -t mangle -N DIVERT
>>> /sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> /sbin/iptables -t mangle -A DIVERT -j ACCEPT
>>> /sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>> /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>
>>> My Squid config shows
>>>
>>> http_port 3128
>>> http_port 3129 tproxy
>>>
>>> If I run a dmesg I see it loads the tproxy support
>>>
>>> [ 15.339298] ip_tables: (C) 2000-2006 Netfilter Core Team
>>> [ 15.458549] NF_TPROXY: Transparent proxy support initialized,
>>> version 4.1.0
>>> [ 15.458552] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
>>> [ 15.510067] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
>>>
>>> A tcpdump shows http traffic hitting the box but nobody it able to surf.
>>>
>>> Any ideas what could be wrong??
>>>
>>
>> Not from what you have said so far. It all looks correct according to
>> current knowledge.
>>
>> Have you remembered to set the Squid ACLs to permit the local network
>> ranges propery?
>>
>> Is there any trace in the squid logs? and what exactly are the users
>> seeing?
>>
>> Amos
>
Further stuff to check:
- when traffic hits the box. are the iptables counters growing?
- when TPROXY chain grows, does it hit squid?
- when traffic hits squid, whats squid doing (raise debug_options
ALL,5 6,1 20,1 to see)
- if its getting through squid, is it leaving? (tcpdump trace)
- when traffic leaves, and what if anything is getting back?
some of this is very low-level to trace. Some of it is data-wading.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6Received on Thu Mar 05 2009 - 15:01:27 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 05 2009 - 12:00:02 MST