RE: [squid-users] Linux + TPROXY + Remote Squid

Is any more information needed?

-- Thomas York

-----Original Message-----
From: Thomas York [mailto:straterra_at_fuhell.com]
Sent: Friday, May 25, 2012 1:37 PM
To: giles_at_coochey.net; squid-users_at_squid-cache.org
Subject: RE: [squid-users] Linux + TPROXY + Remote Squid

I forgot one detail. I have an iptables rule BEFORE the PREROUTING
divert/tproxy iptables rules on the router. I added an accept so that HTTP
traffic from the proxy doesn't get tagged and rerouted to the proxy.

Here's the rule set I have for the firewall

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -s 10.0.1.1 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129

-- Thomas York

-----Original Message-----
From: Thomas York [mailto:straterra_at_fuhell.com]
Sent: Friday, May 25, 2012 1:32 PM
To: 'Giles Coochey'; squid-users_at_squid-cache.org
Subject: RE: [squid-users] Linux + TPROXY + Remote Squid

No. The router has three interfaces. One goes to the internet and has a
default route. I am running NAT on this interface so that the firewall,
proxy
and clients can reach the internet. The second is a single /24 network
(10.0.1.0/24) that has only the proxy and the firewall on it. The third is a

single /24 (10.1.1.0/24) that has a single Windows 7 client on it for
generating HTTP requests and testing. I'm tagging the packets on the
firewall
and running them through a separate routing table, which sends the packets
to
the proxy (without NAT-ing). The proxy and the firewall see the routed
packets
perfectly fine. I'm not doing any kind of iptables rules on the proxy,
however.

-----Original Message-----
From: Giles Coochey [mailto:giles_at_coochey.net]
Sent: Friday, May 25, 2012 11:12 AM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Linux + TPROXY + Remote Squid

On 25/05/2012 15:35, Thomas York wrote:
> I have a lab environment set up using two Debian Wheezy servers (Squeeze
> doesn't have a new enough kernel or iptables to do TPROXY properly). One
of
> the servers is a router and the other is a proxy server. There are several
> clients connected to the router to simulate a production routing
> environment. If I have both the TPROXY redirection and Squid on the same
> server, Squid handles the requests and everything works perfectly.
However,
> this isn't how I want the proxy to be configured in our production
> environment. I've changed my iptables rules on the router to redirect all
> tagged 1 packets to the proxy server. This is working perfectly fine and I
> can see the data being routed to the proxy server using tcpdump on both
the
> router and the proxy. However, Squid on the proxy server doesn't seem to
> 'see' the data being routed and doesn't do anything with it. I have
> "http_port 3129 tproxy" set on the proxy server. Is there anything special
I
> need to do using iptables on the proxy server?
>
> Both servers are running kernel 3.2.0-2-amd64 and iptables 1.4.13 from
> Wheezy and the Squid being used on the proxy is 3.1.19. If any more
> information is needed, please just let me know and I'd be happy to supply
> it. Thanks.
>
> --Thomas York
Are you Source-NAT'ing the redirect from the Router?