[squid-users] Re: TPROXY

From: alvarogp <alvarix.gp_at_gmail.com>
Date: Tue, 28 May 2013 04:12:10 -0700 (PDT)

Amos Jeffries-2 wrote
> On 28/05/2013 8:11 p.m., Amm wrote:
>> ________________________________
>>> From: alvarogp &lt;

> alvarix.gp@

> &gt;
>>> To:

> squid-users@

>>> Sent: Tuesday, 28 May 2013 1:28 PM
>>> Subject: [squid-users] Re: TPROXY
>>>
>>>
>>> alvarogp wrote
>>>> Hello,
>>>>
>>>> I have the next configuration:
>>>> - Ubuntu 12.04 with 2 interfaces eth0 (local) and eth1 (internet
>>>> access)
>>>> - IPtables 1.4.12
>>>> - Squid 3.3.4 with Tproxy
>>>>
>>>> With Iptables I have configured the proxy to forward the traffic from
>>>> the
>>>> local LAN (eth0) to the outside world (eth1). The configuration is:
>>>>
>>>> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>>>> iptables -A FORWARD -i eth1 -o eth0 -m state --state
>>>> RELATED,ESTABLISHED
>>>> -j ACCEPT
>>>> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>
>>>> To configure and install Tproxy I have followed the tutorial described
>>>> in
>>>> the wiki:
>>>>
>>>> ./configure --enable-linux-netfilter
>>>>
>>>> net.ipv4.ip_forward = 1
>>>> net.ipv4.conf.default.rp_filter = 0
>>>> net.ipv4.conf.all.rp_filter = 0
>>>> net.ipv4.conf.eth0.rp_filter = 0
>>>>
>>>> iptables -t mangle -N DIVERT
>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>>
>>>> For squid.conf, I have maintained the configuration my default adding
>>>> to
>>>> it:
>>>>
>>>> http_port 3128
>>>> http_port 3129 tproxy
>>>>
>>>> If Squid is running, the packets from the local LAN are routed
>>>> correctly
>>>> and the web pages are showed perfectly. The problem I have is that this
>>>> accesses are not reflected in the access.log and cache.log, so could be
>>>> possible that squid is not caching any cacheable content?
>> I have had exact same problem when I was trying TPROXY with similar
>> configuration.
>>
>> Squid would route packets but not LOG anything in access log.
>>
>> If I stop squid then clients cant access any website. (this indicates
>> that
>> packets are indeed routing through squid).
>
> access.log would indicate that none of them are actually making it to
> the Squid process.
>
> Perhapse the Ubuntu kernel version has a bug which makes the packets
> work when *some* process it listening on the required port, but the
> packets actually not getting there.
>
> Or perhapse TCP packets are sending the HTTP reuqest through Squid and
> Squid relaying it but the response not going back to Squid (direct back
> to client). In that event Squid would wait for some time (read/write
> timeouts are 15 minutes long) before logging the failed HTTP
> transaction. That could be caused by some bad configuration on a router
> outside of the Squid machine.
>
> Amos

Thank you Amos, I will try with other configuration in that case.

Alvaro

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-tp4658393p4660279.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Tue May 28 2013 - 11:12:28 MDT

This archive was generated by hypermail 2.2.0 : Tue May 28 2013 - 12:00:07 MDT