[squid-users] Problem with options tproxy in squid 3.0

I reinstalled all system :

cat /etc/issue
Debian GNU/Linux squeeze/sid \n \l

dmesg |grep TPROXY
[ 282.772198] NF_TPROXY: Transparent proxy support initialized, version
4.1.0
[ 282.772205] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.

uname -a
Linux ips-proxy1 2.6.30-1-686-bigmem #1 SMP Sat Aug 15 20:10:47 UTC 2009
i686 GNU/Linux

without any patches

iptables -V
iptables v1.4.4

i installed squid from expiremental

Squid Cache: Version 3.1.0.14
configure options: '--build=i486-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--srcdir=.' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
'--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--disable-translation'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=i486-linux-gnu' 'CC=cc' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS='
'CPPFLAGS=' 'CXX=g++' 'CXXFLAGS=-g -O2 -g -Wall -O2'
'FFLAGS=-g -O2' --with-squid=/home/luigi/debian/squid3/build-area/squid3-3.1.0.14
 --enable-ltdl-convenience

my firewall rules

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port
80 -j redirect --redirect-target ACCEPT --log
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-ip 127.0.0.1 --on-port 3129

echo 1 > /proc/sys/net/ipv4/ip_forward

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

cd /proc/sys/net/bridge/
for i in *
do
  echo 0 > $i
done
unset i

ip ro flu ca

My network configuration

Client (192.115.188.100)--->eth0 Squid in bridge (192.115.188.99)
eth1--->Internet

In squid log

2009/10/06 15:35:58.385| AcceptFD::acceptOne accepted: FD 15 newfd: 17 from:
192.115.188.100:3556 handler: SomeCommAcceptHandler(FD -1, data=0xa331b18)
2009/10/06 15:35:58.386| IpIntercept.cc(381) NatLookup: address BEGIN: me=
72.233.89.200:80, client= 72.233.89.200:80, dst= 192.115.188.100:3556, peer=
192.115.188.100:3556
2009/10/06 15:35:58.386| IpIntercept.cc(166) NetfilterTransparent: address
TPROXY: me= 72.233.89.200:80, client= 192.115.188.100
2009/10/06 15:35:58.387| aclIpAddrNetworkCompare: compare:
192.115.188.100:3556/[::] ([::]:3556) vs [::]-[::]/[::]
2009/10/06 15:35:58.387| aclIpMatchIp: '192.115.188.100:3556' found
2009/10/06 15:35:58.393| aclIpAddrNetworkCompare: compare:
192.115.188.100/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (192.115.188.100)
vs 127.0.0.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2009/10/06 15:35:58.393| aclIpMatchIp: '192.115.188.100' NOT found
2009/10/06 15:35:58.394| aclIpAddrNetworkCompare: compare:
192.115.188.100/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (192.115.188.100)
vs 192.115.188.100-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2009/10/06 15:35:58.394| aclIpMatchIp: '192.115.188.100' found
2009/10/06 15:35:58.397| aclIpAddrNetworkCompare: compare:
192.115.188.100/[::] ([::]) vs [::]-[::]/[::]
2009/10/06 15:35:58.397| aclIpMatchIp: '192.115.188.100' found
2009/10/06 15:35:58.398| PconnPool::key(whatismyip.com,80,(no
domain),192.115.188.100is {whatismyip.com:80-192.115.188.100}
2009/10/06 15:35:58.398| PconnPool::pop: lookup for key
{whatismyip.com:80-192.115.188.100} failed.
2009/10/06 15:35:58.398| fwdConnectStart: got outgoing addr 192.115.188.100,
tos 0
2009/10/06 15:35:58.398| comm_openex: Attempt open socket for:
192.115.188.100
2009/10/06 15:35:58.398| commBind: bind socket FD 18 to 192.115.188.100

And i still get error
The system returned: (110) Connection timed out

???

Thanks
Roman
Received on Wed Oct 07 2009 - 07:03:00 MDT