Amos,
Do you have an idea as to what I am doing wrong here?
Thanks,
On Fri, Feb 22, 2013 at 12:40 PM, Roman Gelfand <rgelfand2_at_gmail.com> wrote:
> Thanks for taking time to help me out.
>
> If I understood you correctly, I think I made the changes you
> mentioned including iptables -A FORWARD -i eth0 -j ACCEPT line.
>
> still no luck. Below, is the is the diagnostics.
>
> Chain PREROUTING (policy ACCEPT 13 packets, 8499 bytes)
> pkts bytes target prot opt in out source destination
> 337 93649 ACCEPT all -- any any anywhere 192.168.8.21
> 226 48201 DIVERT tcp -- any any anywhere
> anywhere socket
> 0 0 TPROXY tcp -- any any anywhere
> anywhere tcp dpt:www TPROXY redirect 0.0.0.0:3228 mark
> 0x1/0x1
> 0 0 TPROXY tcp -- any any anywhere
> anywhere tcp dpt:https TPROXY redirect 0.0.0.0:3229 mark
> 0x1/0x1
>
> Chain INPUT (policy ACCEPT 576 packets, 150K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 644 packets, 135K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 644 packets, 135K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain DIVERT (1 references)
> pkts bytes target prot opt in out source destination
> 226 48201 MARK all -- any any anywhere
> anywhere MARK set 0x1
> 226 48201 ACCEPT all -- any any anywhere anywhere
>
>
> On Fri, Feb 22, 2013 at 2:14 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 22/02/2013 5:07 p.m., Roman Gelfand wrote:
>>>
>>> On Thu, Feb 21, 2013 at 6:10 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>>> wrote:
>>>>
>>>> On 22/02/2013 11:03 a.m., Roman Gelfand wrote:
>>>>>
>>>>> Please, find below the network topology, squid.conf and rc.local
>>>>> configuration files. It appears that the squid is not routing the
>>>>> http requests. I am not sure what I am doing wrong here
>>>>> Please note, the same squid.conf works on transparent proxy (non
>>>>> tproxy), for the exception of tproxy keyword and service changes.
>>>>> Thanks in advance,
>>>>>
>>>>> WAN
>>>>> ||
>>>>> ||
>>>>> wccp/gre tunnel ||
>>>>> squid==============================Fortigate FW/RT Int ip 1 192.168.8.1
>>>>> 3.3 || Int ip 2
>>>>> 192.168.11.1
>>>>> ip: 192.168.8.21 || Ext ip XX.XX.XXX.24
>>>>> ||
>>>>> ||
>>>>> WLAN Router Int. ip
>>>>> 192.168.11.32 Ext. ip 192.168.7.1
>>>>> ||
>>>>> ||
>>>>> ||
>>>>> Client Workstation 192.168.7.110
>>>>>
>>>>>
>>>>> #!/bin/sh -e
>>>>> #
>>>>> # rc.local
>>>>> #
>>>>> # This script is executed at the end of each multiuser runlevel.
>>>>> # Make sure that the script will "exit 0" on success or any other
>>>>> # value on error.
>>>>> #
>>>>> # In order to enable or disable this script just change the execution
>>>>> # bits.
>>>>> #
>>>>> # By default this script does nothing.
>>>>> # GRE Tunnel :
>>>>> echo "Loading modules.."
>>>>> modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre
>>>>>
>>>>> LOCALIP="192.168.8.21"
>>>>> FORTIDIRIP="192.168.8.1"
>>>>> FORTIIPID="XX.XX.XXX.254"
>>>>> echo "changing routing and reverse path stuff.."
>>>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>>>
>>>>
>>>> What about rp_filter on eth0 where the traffic is actually exiting the
>>>> Squid
>>>> box?
>>>
>>> Could you elaborate on this..
>>
>>
>> What rp_filter does is prevent packets from local software using that
>> interface from using IP addresses that do not belong to that box.
>>
>> The purpose of TPROXY being to spoof the _clients_ IP address on outgoing
>> trafffic. Which does not leave the machine on lo, but through eth0 or some
>> other interface.
>>
>>
>> Amos
Received on Mon Feb 25 2013 - 02:00:50 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 26 2013 - 12:00:04 MST