Eliezer
Hi
Thanks for your email, and sorry if I couldn't properly describe the
case. Yes, I need an intercepting transparent proxy in which all
clients use their own IP address in order to surf the web while the
proxy server is kept transparent to them.
I am using Debian Lenny. Here are some details about the platform:
Kernel: 2.6.38.3 (NF_CONNTRACK=m, NETFILTER_TPROXY=m,
NETFILTER_XT_MATCH_SOCKET=m, NETFILTER_XT_TARGET_TPROXY=m)
iptables: 1.4.10
Squid: 3.1.12.1 (--enable-linux-netfilter)
I have configured all those firewall rules mentioned by the tutorial:
# iptables -t mangle -N DIVERT
# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# iptables -t mangle -A DIVERT -j MARK --set-mark 1
# iptables -t mangle -A DIVERT -j ACCEPT
# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
Also, I have entered the following two lines in squid.conf:
http_port 3128
http_port 3129 tproxy
The proxy server is a one-NIC machine which is connected to the
Internet via its default gateway.
# ip rule list
0: from all lookup local
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default
# ip route list table all
local default dev lo table 100 scope host
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.17
169.254.0.0/16 dev eth0 scope link metric 1000
default via 192.168.1.1 dev eth0
local 192.168.1.17 dev eth0 table local proto kernel scope host
src 192.168.1.17
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link
src 192.168.1.17
broadcast 192.168.1.255 dev eth0 table local proto kernel scope
link src 192.168.1.17
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
fe80::/64 dev eth0 proto kernel metric 256
unreachable default dev lo table unspec proto kernel metric -1
error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0 hoplimit 4294967295
local fe80::208:2ff:fe95:7a77 via :: dev lo table local proto none
metric 0 hoplimit 4294967295
ff00::/8 dev eth0 table local metric 256
unreachable default dev lo table unspec proto kernel metric -1
error -101 hoplimit 255
The problem is that the kernel does not accept the following:
# ip route add local 0.0.0.0/0 dev lo table 100
Thanks again.
Warm Regards,
Ali Majdzadeh Kohbanani
2011/8/13 Eliezer Croitoru <eliezer_at_ec.hadorhabaac.com>
>
> are you sure you need it as a tproxy and not an INTERCEPTION software?
> give us some info on the os and othe stuff on the system and subnet etc.
>
> On 13/08/2011 00:32, Ali Majdzadeh wrote:
>
> Dear All,
> I have followed these two guides in order to setup transparent caching
> using TProxy and Squid, but without any success.
>
> http://wiki.squid-cache.org/Features/Tproxy4
> http://wiki.squid-cache.org/ConfigExamples/Intercept/CentOsTproxy4?action=show&redirect=ConfigExamples%2FTPROXYPatchingCentOS
>
> Actually, the following command fails:
> # ip route add local 0.0.0.0/0 dev lo table 100
> RTNETLINK answers: File exists
>
> Is there any solution to this? Any suggestions? I have precisely
> followed the guides. It should be noted that I am trying to setup a
> normal scenario where the proxy box is connected to the internet using
> its default gateway and it has only one interface.
>
> Warm Regards,
> Ali Majdzadeh Kohbanani
>
Received on Sat Aug 13 2011 - 01:51:25 MDT
This archive was generated by hypermail 2.2.0 : Sat Aug 13 2011 - 12:00:02 MDT