Re: [squid-users] Re: squid tproxy problem

  On 08/18/2011 05:50 PM, Amos Jeffries wrote:
> On 18/08/11 22:51, Benjamin wrote:
>> I tested interception in bridge mode with current setup.that is working
>> fine.but when i configure tproxy , it is not working.Please guide me for
>> that.
>>
>> Thanks,
>> Benjo
>>> Hi,
>>>
>>> Any suggestions please.
>>>
>>> My Current Network Setup:
>>>
>>> WAN ROUTER(114.30.XX.1 --- public ip)
>>> |
>>> |
>>> |
>>> SWITCH
>>> |
>>> |
>>> |
>>> SQUID BOX (114.30.XX.19 gw: 114.30.XX.1) ( bridge mode)
>>> |
>>> |
>>> |
>>> BANDWITH MGMT. LINUX BOX ( 114.30.XX.10 gw: 114.30.XX.1)
>>> |
>>> |
>>> |
>>> END USERS ( mix with private ips and public ips )
>>>
>>>
>>> at squid box : eth0 ----->internet( cable from switch)
>>> eth1-----> cable connected to BANDWITH MGMT. LINUX BOX)
>>>
> ...
>>>> ebtables -t broute --list
>>>> Bridge table: broute
>>>>
>>>> Bridge chain: BROUTING, entries: 2, policy: ACCEPT
>>>> -p IPv4 -i eth0 --ip-proto tcp --ip-dport 80 -j redirect
>>>> -p IPv4 -i eth1 --ip-proto tcp --ip-sport 80 -j redirect
>
> Unless you changed the config between posts that means port 80 traffic
> _from_ the Internet is being passed to the proxy. Same for traffic
> received _from_ internal web servers.
>
> According to the cabling diagram that should be:
> -i eth0 --ip-sport 80
> -i eth1 --ip-dport 80
> ... or plug the cables the other way around.
>
> Alternatively, and at least for testing. Drop the -i NIC parameters
> entirely and route everything to or from port 80.
>
> <from earlier in the thread>
>>
>> iptables -L -nvx -t mangle
>> Chain PREROUTING (policy ACCEPT 959157 packets, 79545939 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 10993 689414 DIVERT tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 socket
>> 16765 1000259 TPROXY tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
>> 0x1/0x1
>>
> ...
>> OS CENTOS 6 64 bit
>> squid : 3.1.4
>> KERNEL : 2.6.32-71.29.1.el6.x86_64
>
>
> Indeed this shows some packets that should be showing up in Squid
> logs. As TCP_DENIED visitors if my assessment of the ebtables rules is
> correct. But either way, showing up.
>
> This looks a LOT like the problem Debian Lenny and Ubuntu Lucid have.
> They also had kernels from early 2.6.3n numbers. Indeed going back to
> my notes (in the wiki):
> "2.6.32 to 2.6.34 have bridging issues on some systems. Please use
> 2.6.30 or 2.6.31 for production machines, they seem to work properly."
>
> I wrote that while monitoring TPROXY related patches going into the
> kernel. About the time 2.6.36 came out.
> So if you can, 2.6.35 or later should work (the later the better).
> Most people working with Debian Squeeze (kernel 2.6.37+) have had no
> problems AFAICT. That success should be mirrored in other distros on
> the similar kernel versions.
>
> Amos
Hi Amos,

Thanks for your kind response.I am going to try with latest kernel 3.0.3
and update u with final status.

kernel 3.0.3 is ok for tproxy with squid verion 3.1.10 ?

Thanks,
Benjamin
Received on Thu Aug 18 2011 - 13:43:57 MDT