Re: [squid-users] squid 3.1.15 + TProxy 4 + time out

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 20 Sep 2011 23:09:30 +1200

On 20/09/11 22:42, Tux Mason wrote:
> Hello,
>
> I need help to get TProxy working.
>
> When I set my browser to use the troxy port, netstat output shows
> SYN_SENT for a while and the connection times out.

Of course. Squid is required to invert the connecting IP addresses on
arrival at a tproxy port. You CAN NOT send forward-proxy traffic from
the browser to a Squid tproxy flagged port and have anything useful come
out the WAN side of Squid.

Set your browser to use no proxy at all and the Squid box as its box
gateway router.

Once that is done and being tested correctly. Check your rpfilter
settings against the wiki page. I have reason to believe the wiki docs
are now out of date as of kernel 2.6.35 and incorrect regarding
rpfilter. But none has yet confirmed which altered settings we need.

>
> When I set my browser to use the transparent port, content is fetched
> by the cache and the content is displayed in the browser

This is a bug. Which has been fixed in the 3.2 series.

>
> I have configured my routing as follows,
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> ip rule add fwmark 1 lookup 100
> ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-ip<SQUID_BOX_PUBLIC_IP> --on-port 3129
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> ---------- squid.conf excerpt
> ------------------------------------------------------------------------------------------------------------------------------------------------
> http_port<SQUID_BOX_PUBLIC_IP>:3128 intercept

I see no NAT rules for port 3128 interception.

> http_port<SQUID_BOX_PUBLIC_IP>:3129 tproxy
> ...
> acl public src<CLIENT_NETWORK> # public IPs
> acl localhost src 127.0.0.0/24
> acl localnet src 192.168.2.0/24
> acl localnet src 192.168.3.0/24
> acl localnet src 10.10.10.0/24
> ...
> http_access allow public
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Distro: Slackware 13.37 x86_64
> Kernel: linux-3.0.4 ( tried 2.6.37 and 2.6.30 - connections time out)
> Squid version: 3.1.15 ( tried 3.1.12 - connections also time out)
>
> Any help will be greatly appreciated.
>
> Kind regards,
>
> Daniel

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.12
Received on Tue Sep 20 2011 - 11:09:38 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 20 2011 - 12:00:03 MDT