Re: [squid-users] TProxy Issues

I am watching my counters and they do not appear to be incrementing but
tcpdump is showing alot of traffic

Example

10:42:02.348321 IP 66-78-113-55.access.ripnet.com.59690 >
www.11.07.facebook.com.www: S 341952050:341952050(0) win 65535 <mss
1452,sackOK,eol>
10:42:02.358773 IP 66-78-110-135.access.ripnet.com.3743 >
66.235.143.70.www: S 3961780886:3961780886(0) win 65535 <mss
1452,nop,nop,sackOK>
10:42:02.359148 IP 66-78-124-223.access.ripnet.com.1123 >
64.215.158.17.www: S 2435980027:2435980027(0) win 65535 <mss
1452,nop,nop,sackOK>

Amos Jeffries wrote:
> Jamie Orzechowski wrote:
>> I went from a standard transparent setup to tproxy. Everything works
>> fine with the old transparent method so my ACL's are working. My
>> customers are seeing nothing. No squid errors on their browsers just
>> timesout ... my access log does not not grow.
>> Amos Jeffries wrote:
>>> Jamie Orzechowski wrote:
>>>> I am trying to get TProxy setup and running on a Linux based squid
>>>> box.
>>>>
>>>> I have compiled a custom kernel with the following options (2.6.28.7)
>>>>
>>>> NETFILTER_TPROXY=y
>>>> NETFILTER_XT_MATCH_SOCKET=y
>>>> NETFILTER_XT_TARGET_TPROXY=y
>>>>
>>>> I have also installed the latest iptables
>>>> root_at_cache-01:/var/log/squid3# iptables -V
>>>> iptables v1.4.3-rc1
>>>>
>>>> And compiled squid 3.1.0.6
>>>>
>>>> Squid Cache: Version 3.1.0.6
>>>> configure options: '--prefix=/usr' '--includedir=/include'
>>>> '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
>>>> '--localstatedir=/var' '--libexecdir=/lib/squid3'
>>>> '--disable-maintainer-mode' '--disable-dependency-tracking'
>>>> '--srcdir=.' '--datadir=/usr/share/squid3'
>>>> '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
>>>> '--with-cppunit-basedir=/usr' '--enable-inline'
>>>> '--enable-async-io=32' '--enable-storeio=ufs,aufs,diskd'
>>>> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
>>>> '--enable-cache-digests' '--enable-underscores'
>>>> '--enable-icap-client' '--enable-follow-x-forwarded-for'
>>>> '--with-filedescriptors=65536' '--with-default-user=proxy'
>>>> '--enable-linux-netfilter' --with-squid=/tmp/squid-3.1.0.6
>>>> --enable-ltdl-convenience
>>>>
>>>> My NAT Rules are as follows
>>>>
>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>> /sbin/iptables -t mangle -N DIVERT
>>>> /sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>> /sbin/iptables -t mangle -A DIVERT -j ACCEPT
>>>> /sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>> /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>>
>>>> My Squid config shows
>>>>
>>>> http_port 3128
>>>> http_port 3129 tproxy
>>>>
>>>> If I run a dmesg I see it loads the tproxy support
>>>>
>>>> [ 15.339298] ip_tables: (C) 2000-2006 Netfilter Core Team
>>>> [ 15.458549] NF_TPROXY: Transparent proxy support initialized,
>>>> version 4.1.0
>>>> [ 15.458552] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
>>>> [ 15.510067] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
>>>>
>>>> A tcpdump shows http traffic hitting the box but nobody it able to
>>>> surf.
>>>>
>>>> Any ideas what could be wrong??
>>>>
>>>
>>> Not from what you have said so far. It all looks correct according
>>> to current knowledge.
>>>
>>> Have you remembered to set the Squid ACLs to permit the local
>>> network ranges propery?
>>>
>>> Is there any trace in the squid logs? and what exactly are the users
>>> seeing?
>>>
>>> Amos
>>
>
> Further stuff to check:
>
> - when traffic hits the box. are the iptables counters growing?
>
> - when TPROXY chain grows, does it hit squid?
>
> - when traffic hits squid, whats squid doing (raise debug_options
> ALL,5 6,1 20,1 to see)
>
> - if its getting through squid, is it leaving? (tcpdump trace)
>
> - when traffic leaves, and what if anything is getting back?
>
> some of this is very low-level to trace. Some of it is data-wading.
>
> Amos

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=
Jamie Orzechowski - CCNA
RipNET Ltd. System/Network Administrator
Tel.: 613-342-3946 x294
THIS MESSAGE IS INTENDED ONLY FOR THE ADDRESSEE, 
IT MAY CONTAIN PRIVILEGED OR CONFIDENTIAL INFORMATION.  
ANY UNAUTHORIZED DISCLOSURE IS STRICTLY PROHIBITED.  
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, 
PLEASE NOTIFY ME IMMEDIATELY SO THAT I MAY CORRECT MY 
INTERNAL RECORDS.  PLEASE THEN DELETE THE ORIGINAL MESSAGE.
=-=-=-=-=-=-=-=-=-=-=-=-=