Re: [squid-users] tproxy configuration

On 22/02/2013 5:07 p.m., Roman Gelfand wrote:
> On Thu, Feb 21, 2013 at 6:10 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 22/02/2013 11:03 a.m., Roman Gelfand wrote:
>>> Please, find below the network topology, squid.conf and rc.local
>>> configuration files. It appears that the squid is not routing the
>>> http requests. I am not sure what I am doing wrong here
>>> Please note, the same squid.conf works on transparent proxy (non
>>> tproxy), for the exception of tproxy keyword and service changes.
>>> Thanks in advance,
>>>
>>> WAN
>>> ||
>>> ||
>>> wccp/gre tunnel ||
>>> squid==============================Fortigate FW/RT Int ip 1 192.168.8.1
>>> 3.3 || Int ip 2 192.168.11.1
>>> ip: 192.168.8.21 || Ext ip XX.XX.XXX.24
>>> ||
>>> ||
>>> WLAN Router Int. ip
>>> 192.168.11.32 Ext. ip 192.168.7.1
>>> ||
>>> ||
>>> ||
>>> Client Workstation 192.168.7.110
>>>
>>>
>>> #!/bin/sh -e
>>> #
>>> # rc.local
>>> #
>>> # This script is executed at the end of each multiuser runlevel.
>>> # Make sure that the script will "exit 0" on success or any other
>>> # value on error.
>>> #
>>> # In order to enable or disable this script just change the execution
>>> # bits.
>>> #
>>> # By default this script does nothing.
>>> # GRE Tunnel :
>>> echo "Loading modules.."
>>> modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre
>>>
>>> LOCALIP="192.168.8.21"
>>> FORTIDIRIP="192.168.8.1"
>>> FORTIIPID="XX.XX.XXX.254"
>>> echo "changing routing and reverse path stuff.."
>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>
>> What about rp_filter on eth0 where the traffic is actually exiting the Squid
>> box?
> Could you elaborate on this..

What rp_filter does is prevent packets from local software using that
interface from using IP addresses that do not belong to that box.

The purpose of TPROXY being to spoof the _clients_ IP address on
outgoing trafffic. Which does not leave the machine on lo, but through
eth0 or some other interface.

Amos
Received on Fri Feb 22 2013 - 07:14:18 MST