Jamie Orzechowski wrote:
> I am watching my counters and they do not appear to be incrementing but
> tcpdump is showing alot of traffic
Aha. That means something else in the firewall rules is catching or
changing the traffic before it gets near the TPROXY rules.
Amos
>
> Example
>
> 10:42:02.348321 IP 66-78-113-55.access.ripnet.com.59690 >
> www.11.07.facebook.com.www: S 341952050:341952050(0) win 65535 <mss
> 1452,sackOK,eol>
> 10:42:02.358773 IP 66-78-110-135.access.ripnet.com.3743 >
> 66.235.143.70.www: S 3961780886:3961780886(0) win 65535 <mss
> 1452,nop,nop,sackOK>
> 10:42:02.359148 IP 66-78-124-223.access.ripnet.com.1123 >
> 64.215.158.17.www: S 2435980027:2435980027(0) win 65535 <mss
> 1452,nop,nop,sackOK>
>
>
> Amos Jeffries wrote:
>> Jamie Orzechowski wrote:
>>> I went from a standard transparent setup to tproxy. Everything works
>>> fine with the old transparent method so my ACL's are working. My
>>> customers are seeing nothing. No squid errors on their browsers just
>>> timesout ... my access log does not not grow.
>>> Amos Jeffries wrote:
>>>> Jamie Orzechowski wrote:
>>>>> I am trying to get TProxy setup and running on a Linux based squid
>>>>> box.
>>>>>
>>>>> I have compiled a custom kernel with the following options (2.6.28.7)
>>>>>
>>>>> NETFILTER_TPROXY=y
>>>>> NETFILTER_XT_MATCH_SOCKET=y
>>>>> NETFILTER_XT_TARGET_TPROXY=y
>>>>>
>>>>> I have also installed the latest iptables
>>>>> root_at_cache-01:/var/log/squid3# iptables -V
>>>>> iptables v1.4.3-rc1
>>>>>
>>>>> And compiled squid 3.1.0.6
>>>>>
>>>>> Squid Cache: Version 3.1.0.6
>>>>> configure options: '--prefix=/usr' '--includedir=/include'
>>>>> '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
>>>>> '--localstatedir=/var' '--libexecdir=/lib/squid3'
>>>>> '--disable-maintainer-mode' '--disable-dependency-tracking'
>>>>> '--srcdir=.' '--datadir=/usr/share/squid3'
>>>>> '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
>>>>> '--with-cppunit-basedir=/usr' '--enable-inline'
>>>>> '--enable-async-io=32' '--enable-storeio=ufs,aufs,diskd'
>>>>> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
>>>>> '--enable-cache-digests' '--enable-underscores'
>>>>> '--enable-icap-client' '--enable-follow-x-forwarded-for'
>>>>> '--with-filedescriptors=65536' '--with-default-user=proxy'
>>>>> '--enable-linux-netfilter' --with-squid=/tmp/squid-3.1.0.6
>>>>> --enable-ltdl-convenience
>>>>>
>>>>> My NAT Rules are as follows
>>>>>
>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>> /sbin/iptables -t mangle -N DIVERT
>>>>> /sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>>> /sbin/iptables -t mangle -A DIVERT -j ACCEPT
>>>>> /sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>> /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>>>
>>>>> My Squid config shows
>>>>>
>>>>> http_port 3128
>>>>> http_port 3129 tproxy
>>>>>
>>>>> If I run a dmesg I see it loads the tproxy support
>>>>>
>>>>> [ 15.339298] ip_tables: (C) 2000-2006 Netfilter Core Team
>>>>> [ 15.458549] NF_TPROXY: Transparent proxy support initialized,
>>>>> version 4.1.0
>>>>> [ 15.458552] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
>>>>> [ 15.510067] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
>>>>>
>>>>> A tcpdump shows http traffic hitting the box but nobody it able to
>>>>> surf.
>>>>>
>>>>> Any ideas what could be wrong??
>>>>>
>>>>
>>>> Not from what you have said so far. It all looks correct according
>>>> to current knowledge.
>>>>
>>>> Have you remembered to set the Squid ACLs to permit the local
>>>> network ranges propery?
>>>>
>>>> Is there any trace in the squid logs? and what exactly are the users
>>>> seeing?
>>>>
>>>> Amos
>>>
>>
>> Further stuff to check:
>>
>> - when traffic hits the box. are the iptables counters growing?
>>
>> - when TPROXY chain grows, does it hit squid?
>>
>> - when traffic hits squid, whats squid doing (raise debug_options
>> ALL,5 6,1 20,1 to see)
>>
>> - if its getting through squid, is it leaving? (tcpdump trace)
>>
>> - when traffic leaves, and what if anything is getting back?
>>
>> some of this is very low-level to trace. Some of it is data-wading.
>>
>> Amos
>
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6Received on Fri Mar 06 2009 - 01:24:42 MST
This archive was generated by hypermail 2.2.0 : Fri Mar 06 2009 - 12:00:02 MST