Re: [squid-users] Not routing from tproxy to internet

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 06 Feb 2013 03:39:24 +1300

On 6/02/2013 1:02 a.m., Paris Charalampou wrote:
> Hi,
>
> I have the following problem while trying to setup a squid in tproxy
> mode for a centralized solution. Our topology is:
>
> client -> R1 -> squid -> R1 -> Internet
>
> Note that server uses a public ip address which is the same for incoming
> and outgoing connections
Note that TPROXY hides the Squid server from both client and Internet
servers. So its IP is irrelevant here. Case in point is that its
receiving IP is 127.0.0.1 in your configuration (how could clients or
servers send/receive traffic directly to another machines 127.0.0.1?).

> I am using squid 3.2.6 [tried3.2.7 without luck] in Debian Wheezy with
> linux kernel 3.2 and iptables 1.4.14
>
> Squid.conf
> --
> workers 1
> debug_options ALL,4
>
> client_db off
>
> http_port 80 tproxy

80 is not a good port for this. Make is something random and firewall
REJECT all external traffic to that port in the mangle table. That will
prevent some traffic loops caused by external routing, and several types
of malicious attacks.

> http_port 8080
> icp_port 0
>
>
> iptables
> ---
> iptables -t mangle -F
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -i lo -j ACCEPT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -s <server_ip_address> -j ACCEPT
> iptables -t mangle -A PREROUTING -i lo -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-ip 127.0.0.1 --on-port 80
>
>
> Do I have to use WCCP on the router standing between theproxy andthe
> internet??

No. WCCP is separate to TPROXY. Why do you ask? is it involved elsewhere?

> I cannot route the packets from the proxy tothe edge router
> while I can see incoming http packets from the clients. All incoming
> connection timeout while waiting for the reply from destination server

Why not? route all packets normally on the Squid box as if it were a
simple relay. The TPROXY rules above are the only abnormal part.

PS. take care that rp_filter and similar filtering limitations are
permitting the Squid box to emit packets from external machines IPs.

Amos
Received on Tue Feb 05 2013 - 14:39:32 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 05 2013 - 12:00:03 MST