RE: FW: [squid-users] Tproxy Help // Transparent works fine

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 18 Jun 2009 15:51:01 +1200

On Wed, 17 Jun 2009 10:28:35 -0700, "Alexandre DeAraujo" <alexd_at_cal.net>
wrote:
>> Does access.log say anything is arriving at Squid?
>> Are you able to track the packets anywhere else?
>>
>> Amos
>
> Once the client tries to browse, the connection times out after 100-150
> seconds and displays the error page:
> The following error was encountered while trying to retrieve the URL:
> http://www.msn.com/
> Connection to 207.68.172.246 failed.
> The system returned: (110) Connection timed out
> The remote host or network may be down. Please try the request again.
>
> ..and the following message will show on the access.log(at the same time
as
> the timeout page is showed on the browser)
> 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET
> http://www.msn.com/ - DIRECT/207.68.173.76 text/html
> 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET
> http://www.msn.com/ - DIRECT/207.68.173.76 text/html
> Nothing else will show in the access.log from the moment that the client
> tries to browse.
>
> The following is the output of 'iptables -I INPUT -p tcp -j LOG'. Here is
> everything from the time the client tries to browse to when the
connection
> times out
> client ip = 192.168.10.3
> squid ip = 192.168.20.10
> msn.com ip = 207.68.172.246
>
> Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=192.168.20.10 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4652 DF PROTO=TCP
> SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1
> Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=192.168.20.10 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4653 DF PROTO=TCP
> SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK URGP=0 MARK=0x1
> Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=192.168.20.10 LEN=968 TOS=0x00 PREC=0x00 TTL=127 ID=4654 DF PROTO=TCP
> SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK PSH URGP=0 MARK=0x1

... show several packets where client is connecting straight to squid IP as
a regular proxy!!

(I assume squid handles the requests and spoofs the client IP:
192.168.10.3->207.68.172.246)

> Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46343 DF PROTO=TCP
> SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1
> Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4655 PROTO=TCP
> SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1

... router catches packets between 192.168.10.3->207.68.172.246 and send
them to Squid for handling...

(I assume squid handles the requests and spoofs the client IP:
192.168.10.3->207.68.172.246)

> Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46344 DF PROTO=TCP
> SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1
> Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3
> DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4656 PROTO=TCP
> SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1

... router catches packets between 192.168.10.3->207.68.172.246 and send
them to Squid for handling...

... IF my assumption about where each of those packets is originating is
true. It seems like a triangle of doom.

IMO Squid needs to be given a dedicated _interface_ on the router. And any
packets coming from that _interface_ be exempted from WCCP route-back.

Amos
Received on Thu Jun 18 2009 - 03:51:05 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 18 2009 - 12:00:04 MDT