On Mon, 01 Nov 2010 23:55:27 +0100, Tomasz Chmielewski <mangoo_at_wpkg.org>
wrote:
> I'm trying to configure Squid to work in tproxy mode (IPv4, when it
> works, IPv6), but my connections are hanging and I'm not sure how to
> debug this.
>
>
> Perhaps my network setup won't just work with tproxy?
>
>
> My network setup looks like below:
>
>
> internet gateway - squid - client
>
>
> Internet gateway, squid, client - all have public IPv4 addresses.
>
>
> The client has squid IP address set as a gateway for addresses I'd like
> to proxy.
> If I ping the destination from the client, all packets go through the
> proxy, but the replies don't go through the proxy.
This is called asymmetrical routing. Your network routing structure needs
to be altered to symmetrical routing for the reply traffic to work with
TPROXY.
"ping" is also different protocol entirely (ICMP) to the ones which TPROXY
works on (TCP/UDP). There are known bugs in the ICMP bits related to
TPROXY. The kernel guys have patches which are coming out alongside IPv6
support in kernel 2.6.37.
>
> I see the website in the internet gets TCP packets with client IP and
> replies to them. Client receives packets with website IPs.
Good.
>
> However, the connection hangs:
>
> $ wget -O /dev/null example.com
> --2010-11-02 06:48:51-- http://example.com
> Resolving example.com... 1.2.3.4
> Connecting to example.com|1.2.3.4|:80... connected.
> HTTP request sent, awaiting response...
>
>
> If I press ctrl+c on the client, Squid logs the page I tried to access:
>
> 1288651691.229 29850 client_ip TCP_MISS/000 0 GET http://example.com/ -
> DIRECT/1.2.3.4 -
>
>
> What is wrong in my setup? It works when I use NAT, but I'd like to use
> IPv6 too, so I have to use TPROXY.
Find out why the reply packets are not coming back to Squid. Fix that and
this should start working.
Amos
Received on Tue Nov 02 2010 - 00:21:02 MDT
This archive was generated by hypermail 2.2.0 : Tue Nov 02 2010 - 12:00:02 MDT