Re: [squid-users] Tproxy 3.1 problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 03 May 2012 12:01:44 +1200

[Re-posting to clean up the NASTY quoting by Daniels mailer.]

> First, Daniel Echizen wrote:
>
>> Hi,
>> Im facing a weird problem with tproxy few weeks, the problem is, all
>> work fine except clients that is behind a tplink router and another
>> one that i dont remembe, but almost tplink wr541g routers, if i
>> remove
>> iptables mangle redirect rule, client has traffic, enable not, dont
>> speak english very well, so i hope someone can understand and help
>> me.. this is a server with 1000+ clients, and im getting very
>> frustrated with this problem.
>>
>> my config:
>>
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>> /sbin/iptables -v -t mangle -N DIVERT
>> /sbin/iptables -v -t mangle -A DIVERT -j MARK --set-mark 1
>> /sbin/iptables -v -t mangle -A DIVERT -j ACCEPT
>> /sbin/iptables -v -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> /sbin/iptables -v -t mangle -D PREROUTING -p tcp --dport 80 \
>> -j TPROXY --tproxy-mark 0x1/0x1 --on-port 5128
>> 2>&1
>>
>> /usr/local/sbin/ebtables -t broute -A BROUTING -i eth5 -p ipv4
>> --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
>> /usr/local/sbin/ebtables -t broute -A BROUTING -i eth3 -p ipv4
>> --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
>>
>> cd /proc/sys/net/bridge/
>> for i in *
>> do
>> echo 0> $i
>> done
>> unset i
>>
>> echo 0> /proc/sys/net/ipv4/conf/lo/rp_filter
>> echo 0> /proc/sys/net/ipv4/conf/all/rp_filter
>> echo 1> /proc/sys/net/ipv4/ip_forward
>>
>>
>> i hav 2 interfaces in bridge, as i said.. all working fine.. except
>> with this tplink routers
>> also got log in iptable mangle, and then i can see traffic from the
>> client router, but traffic cant reach squid
>> , in access.log cant get anything
>> i use a mikrotik as pppoe-server, my network is:
>>
>> router<-> squidbox<-> mikrotik<-> clients
>>

> Then, Amos Jeffries wrote:
>> With Squid inline on a bridge like this there should be *no* squid
>> related configuration outside the Squid box.
>>
>> Is the tplink being used as "router" or "squidbox" in that diagram?
>>
>> What kernel and iptables version is the squidbox? some of the older
>> 2.6.3x kernels have bridge+tproxy problems.
>>
>>
>> Amos
>>
>>
>>
>>

> On 02/05/2012 19:08, Daniel Echizen wrote:
>>
>> I got some more info.. the conection from client tplink dont answer
>> syn, ack in tshark.. i can see syn -> | ack<- | syn, ack -> , but
>> final ack from client dont..
>> i upgrated kernel to 3.3.4 and iptables to 1.4.13 .. all work fine
>> except the problem with tplink wireless router..

On 03.05.2012 07:06, Eliezer Croitoru wrote:
> for how many clients are you having the problem?
>
> what linux distribution are you using for proxy?? i remember that i
> had similar problem with tproxy (not tplink specific) on centos and
> fedora.
>
> is there a specific reason for the " 2>&1" in the tproxy mark?
> does port 5128 is the port for tproxy?
>
> are there any other routing tables on the machine?
>
> have you tried to connect a machine directly to the squidbox switch
> and use it as a default gateway?
>
> Eliezer
>
Received on Thu May 03 2012 - 00:01:47 MDT

This archive was generated by hypermail 2.2.0 : Thu May 03 2012 - 12:00:02 MDT