Re: [squid-users] Tproxy time

From: Amos Jeffries <>
Date: Sun, 21 Aug 2011 12:26:34 +1200

On 21/08/11 05:04, John Hardin wrote:
> On Sat, 20 Aug 2011, Ritter, Nicholas wrote:
>> What kernel/iptables/distro are you using?
>> I am getting this exact same problem and I copied the iptables rules
>> from my working TPROXY/SQUID setup and the only difference was the
>> kernel and iptables version.
>> I think there is some TPROXY breakage somewhere in the later kernels,
> I have a very similar setup and I have no problems.
> athena ~ # equery l squid iptables
> * Searching for squid ...
> [IP-] [ ] net-proxy/squid-3.1.8:0
> * Searching for iptables ...
> [IP-] [ ] net-firewall/iptables-
> athena ~ # uname -a
> Linux athena 2.6.36-hardened-r9 blah blah blah
> I don't know if that qualifies as a "later kernel" or not.
> Those firewall rules seem overly complex, try it without fwmark:
> # No masq of HTTP traffic, must go via proxy
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports
> 80,8000,8008,8080,8088,8800,8880,8888 -j REDIRECT --to-port 3129

NAT is a very different beast to TPROXY at the IP level. For starters
the outgoing IP address in NAT is one assigned to the Squid box.
  They have already tried with manually configured proxy, which performs
the same outgoing connection actions as NAT would. That works. A NAT
test will provide no new information.

The fwmark and DIVERT rules are there to prevent packets being
intercepted multiple times into Squid. Since the outgoing packet has
identical addressing to the incoming packet an both pass through the
mangle table PREROUTING capture rules as they begin processing.


Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for
Received on Sun Aug 21 2011 - 00:26:42 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 21 2011 - 12:00:02 MDT