Re: [squid-users] transparent proxy debugging from Amos Jeffries on 2011-04-19 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 20 Apr 2011 17:03:39 +1200

On 20/04/11 16:18, cc wrote:
> Hi,
>
> I have a firewall which also serves as a transparent proxy
> system. So all forward 80 ports are sent to the localhost(I
> think)'s 3129 port.
>
> I've read
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect,
>
> and my netfilter rules are:
>
> LO_REDIRECT=3129
> $IPTB -t nat -A PREROUTING -i $INET_IF -s $INET_IP -p tcp \
> --dport $HTTP -j ACCEPT
> $IPTB -t nat -A PREROUTING -i $DMZ_IF -p tcp -s $LAN_NET --dport $HTTP \
> -j REDIRECT --to-ports $LO_REDIRECT
> $IPTB -t nat -A POSTROUTING -o $INET_IF -p tcp -j MASQUERADE
> $IPTB -t mangle -A PREROUTING -p tcp --dport $LO_REDIRECT -j DROP
>
> squid.conf:
>
> http_port 3129 transparent
>
> (are there other options that I need to consider?)
>
> From within the LAN_NET, I get a time out error.

You are missing the rule which prevents packets leaving Squid from being
looped back into Squid again.

You seem to have one preventing external (WAN) traffic from being NAT'd
into Squid instead.

Try this:

$IPTB -t nat -A PREROUTING -i $INET_IF -s $INET_IP -p tcp \
--dport $HTTP -j ACCEPT

$IPTB -t nat -A PREROUTING -s $SQUID_IP -p tcp --dport 80 -j ACCEPT

  $IPTB -t nat -A PREROUTING -i $DMZ_IF -p tcp \
        -s $LAN_NET --dport $HTTP \
        -j REDIRECT --to-ports $LO_REDIRECT

>
> If I do a tcpdump on the firewall and am getting
> traffic to the remote host on port 80 from the
> lan host.
>
> Somehow this setup isn't running well. If someone
> can clarify what I might be doing wrong and/or
> ways I can debug this, I'd appreciate it.
>
> The squid's access.log is empty. So traffic isn't
> going through squid's proxy. but I'm using the
> same netfilter rules as the aforementioned link.

Common Mistake: assuming that the access.log shows traffic *arriving*.

All that means that traffic is never *completing* a transaction.
access.log will stay empty if the outgoing fetch is still happening. The
timeout is many minutes, so it can be a long time before access.log
shows anything.

Make sure "via on" is configured in your squid.conf to abort loops early.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1

Received on Wed Apr 20 2011 - 05:03:49 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 20 2011 - 12:00:03 MDT