RE: [squid-users] Linux + TPROXY + Remote Squid from Thomas York on 2012-05-25 (squid-users)

From: Thomas York <straterra_at_fuhell.com>
Date: Fri, 25 May 2012 13:32:06 -0400

No. The router has three interfaces. One goes to the internet and has a
default route. I am running NAT on this interface so that the firewall, proxy
and clients can reach the internet. The second is a single /24 network
(10.0.1.0/24) that has only the proxy and the firewall on it. The third is a
single /24 (10.1.1.0/24) that has a single Windows 7 client on it for
generating HTTP requests and testing. I'm tagging the packets on the firewall
and running them through a separate routing table, which sends the packets to
the proxy (without NAT-ing). The proxy and the firewall see the routed packets
perfectly fine. I'm not doing any kind of iptables rules on the proxy,
however.

-----Original Message-----
From: Giles Coochey [mailto:giles_at_coochey.net]
Sent: Friday, May 25, 2012 11:12 AM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Linux + TPROXY + Remote Squid

On 25/05/2012 15:35, Thomas York wrote:
> I have a lab environment set up using two Debian Wheezy servers (Squeeze
> doesn't have a new enough kernel or iptables to do TPROXY properly). One of
> the servers is a router and the other is a proxy server. There are several
> clients connected to the router to simulate a production routing
> environment. If I have both the TPROXY redirection and Squid on the same
> server, Squid handles the requests and everything works perfectly. However,
> this isn't how I want the proxy to be configured in our production
> environment. I've changed my iptables rules on the router to redirect all
> tagged 1 packets to the proxy server. This is working perfectly fine and I
> can see the data being routed to the proxy server using tcpdump on both the
> router and the proxy. However, Squid on the proxy server doesn't seem to
> 'see' the data being routed and doesn't do anything with it. I have
> "http_port 3129 tproxy" set on the proxy server. Is there anything special I
> need to do using iptables on the proxy server?
>
> Both servers are running kernel 3.2.0-2-amd64 and iptables 1.4.13 from
> Wheezy and the Squid being used on the proxy is 3.1.19. If any more
> information is needed, please just let me know and I'd be happy to supply
> it. Thanks.
>
> --Thomas York
Are you Source-NAT'ing the redirect from the Router?

application/pkcs7-signature attachment: smime.p7s

Received on Fri May 25 2012 - 17:32:20 MDT

This archive was generated by hypermail 2.2.0 : Fri May 25 2012 - 12:00:04 MDT