Re: [squid-users] fedora12_tproxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 30 Jun 2013 19:47:10 +1200

On 30/06/2013 7:37 p.m., z fazli wrote:
> When you type "hostname" on the command line of that server what shows up?
> localhost.localdomain
>
> I am using virtual machine , and it is network setting is in bridge
> mode. squid transparent mode works with this hostname.
>
> 1) how you are testing it... you MUST test it by being a client which
> is intercpeted. Send your requests to port 80, *do not* send requests
> directly to the Squid listening port.
>
>
> for testing , in proxy setting of firefax , set http_proxy to
> 10.1.110.83 and port 3129
>
> when I set port to 80 , brows pages without error but log file do not
> change , seems squid not doing anything.

When you configure firefox with por 3129 (TPROXY port). The packet
destination IP:port is 10.1.110.83:3129. Squid receiving these packets
accepts the request and relays it to 10.1.110.83:3129 ... Squid on
receiving these packets accepts the request and sends it to .. HALT.
forwarding loop error.

See the problem?

You must test with firefox going directly to the test website on its
port 80. If your routing and TPROXY rules are not even capturing your
test traffic properly they are not going to work for any of your real
clients traffic either.

> 2. the packet routing and TPROXY rules .... ensure that only traffic
> *from* the clients or *from* the Internet is being intercepted.
> Packets leaving Squid in either direction MUST NOT be intercepted back
> into your Squid
>
> I used these rules:
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
>
>

That looks okay for the iptables rules sending packets to Squid oncethey
enter the machine. However there are routing, forwarding, RP filter, and
maybe bridge (ebtables) rules as well for passing the packets around
between machines.

Amos
Received on Sun Jun 30 2013 - 07:47:16 MDT

This archive was generated by hypermail 2.2.0 : Sun Jun 30 2013 - 12:00:08 MDT