Re: [squid-users] transparent proxy in squid3 from Amos Jeffries on 2012-03-05 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 06 Mar 2012 11:57:55 +1300

On 06.03.2012 11:09, pplive wrote:
> Dear Amos,
>
> To see whether there were some internal firewall in my system , I
> tried a simpler topology, i.e.,
>
> Client (10.0.0.1) (eth0) -> (eth0) Squid3 (eth1) -> (eth0) Server
> (10.0.0.2)
>
> I just follow the setting in
>
> http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables
>
> brctl addbr br0
> brctl addif br0 eth0
> brctl addif br0 eth1
>
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
> --ip-destination-port 8080 -j redirect --redirect-target ACCEPT

"ACCEPT" on the layer-2 bridging is to handle the packet entirely at
that low layer.

It needs to be "DROP"ed out of the bridging layer into to iptables
layer handling before NAT can change the IP/port and routing can shift
it to INPUT path where Squid gets it.

>
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT
> --to-port 3128
>
> According to tcpdump, we can see the packets are forwarded to port
> 3128
> (I use wget 10.0.0.2:8080 at the client)
>
> 14:04:50.282381 IP 10.0.0.1.33088 > 10.0.0.10.3128: Flags [S], seq
> 388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr
> 0,nop,wscale 6], length 0
> 14:04:53.212426 IP 10.0.0.1.33088 > 10.0.0.10.3128: Flags [S], seq
> 388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr
> 0,nop,wscale 6], length 0
>
> Still, I am confusing of using one NIC, how can I redirect the
> packets
> to port 3128.

NAT is a special system which can change packets on both bridging and
routing layers but does not itself make them change layer.

So what the above trace shows is that packets arriving are NAT/NAPT
changed as they flow through the bridge. But not anything else.

tcpdump gets packets before any of the iptables etc handling gets done
to them. So its useful to verify that the packets are arriving and/or
leaving the NIC as expected. but not much help deciphering what is
happening to them in the middle around where Squid sits.
We have to rely on ebtables/iptables LOG functionality for those bits.

I'm sorry I can't be of much more help. Beyond suggesting to try later
versions of the software including kernel I've run out of ideas.

Amos
Received on Mon Mar 05 2012 - 22:57:58 MST

This archive was generated by hypermail 2.2.0 : Tue Mar 06 2012 - 12:00:02 MST