Re: [squid-users] Re: Client timing out when using squid as tproxy from Amos Jeffries on 2011-01-28 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 29 Jan 2011 13:14:23 +1300

On 29/01/11 05:23, mbruell wrote:
>
>
> Amos Jeffries-2 wrote:
>>
>> Start troubleshooting by reading the section "Troubleshooting" on the
>> wiki TPROXY page. Particularly the Q on timing out.
>>
>
> If proxying works when using port 3128, can I rule out issues with network
> not allowing packets back to squid when in transparent mode (port 3129)?

No. Forward-proxy, intercept proxy and tproxy all have very different
packet behaviours.

Normal port 3128 (forward proxy) the packets are sent with IP addresses
browser->proxy and then proxy->Internet. With no possible way the
packets could take any other reply route than Internet->proxy->browser

Intercept packets gets sent from browser with browser->Internet IPs, and
from the proxy with proxy->Internet IPs. So again no possible way the
packets could go anywhere but back through the proxy.

With tproxy the packets *always* have browser->Internet IPs. So if
routing is screwed up in even a small way they will go directly back to
the browser which discards the invalid TCP seqnum details.

... then there are some people who hit problems with the libcap library
or security systems on their box (RP filters, SELinux, MAC-IP filtering
all block packet spoofing attacks which is what TPROXY does) and the
packets not actually getting into Squid. Or not being spoofed on the way
out.

>
> I posted results of iptables, ip rules, and ip routes listing. I don't see
> any issues with them - but please let me know if you do.
>

They look fine.

That "table 100" bit in the wiki may need to be created for each NIC on
the box, not just the lo interface.

> Amos Jeffries-2 wrote:
>>
>> Extra details to be aware of Ubuntu 10.04 official packages do not meet
>> the libcap dependency requirement for TPROXY. It's library is too old.
>> Squid-3.1 will not produce an obvious message about that before shutting
>> down TPROXY spoofing.
>> Ubuntu 10.10 has a mixed success rate.
>>
>
> I'm not wedded to 10.04. Would it be better to build the libcap packages
> from latest stable source or move to 10.10?

That is up to you.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Received on Sat Jan 29 2011 - 00:14:27 MST

This archive was generated by hypermail 2.2.0 : Sun Jan 30 2011 - 12:00:03 MST