[squid-users] Re: transparent proxy on remote box issue

From: WorkingMan <signup_mail2002_at_yahoo.com>
Date: Mon, 28 Oct 2013 17:38:37 +0000 (UTC)

> That line above the headers is showing the problem:
>
> HTTP Client local=<SQUID IP>:3130 remote=<VPN server>:65090 FD 10
> flags=1
>
> local= contains the details of www.nba.com server where the request is
> being fetched .... original dst IP:port from the TCP packets.
> remote= contains the client src IP:port from the TCP packets.
>
> Your NAT is still being done at the client end of the connection before
> it reaches the Squid box. This is THE problem. Move the NAT rules.
>
> 1) the client end of the VPN needs to contain the routing and MARK rules
> from section 6.2 of that page.
>
> 2) the VPN tunnel needs to deliver those packets directly onto the Squid
> box. Avoiding any problems ECN may cause with routing the packets.
>
> 2a) at this point you should still be able to browse the web without
> problems. However your packets should be going over the VPN without any
> browser or test tool mention of the Squid box IP.
>
> 3) the Squid box needs to contains the REDIRECT rule from section 6.2 on
> that page, and probably the MASQUERADE rule from section 6.3. Squid
> needs the "intercept" http_port option.
>
> 3a) at this point you should still be able to browse the web without
> problems using *identical* tests to those made in (2a) when there was no
> proxy used. However the traffic should be logged in Squid access.log.
>
> <skipping the rest of your Qs because the necessary info is already
> logged in those lines above>
>
> Amos
>
>

Thanks for detailed analysis. So I did some test and could not resolve the
issue.

First of all I moved to use EC2 instance using VPC so all my servers are
under the same subnet (10.0.1.0/24) that fixes the ip route command issue
but it didn't help.

I went with this guide http://lartc.org/howto/lartc.cookbook.squid.html)
since it's close to what I want in terms of routing and it doesn't involve
NAT (I don't have additional NAT in this subnet since it can access internet
directly). This guide is almost the same to the other one (same idea).

Result:

1) before anything I made sure my VPN client can access the internet
normally - works

2) apply policy based changes and two thing happen:
2a) no port 80 traffic is going to SQUID server
2b) client can't navigate the internet (I can ping the hostname but browser
can't load the page; tshark show traffic going to the web site but there is
nothing coming back; normally after DNS name resolution web server talks
back to the client).

Rules I used:

iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 -j MARK --set-
mark 2
echo 202 http >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table http
ip route add default via <SQUID IP> dev eth0 table http
ip route flush cache

All the apps I am using on my phone still seems to works (I assume non port
80 still work fine, great).

Additionally when I add the word "intercept" my curl - http://<SQUID
IP>:3130 www.nba.com always return access denied (deny all requests).

Thanks alot
Thanks,
Received on Mon Oct 28 2013 - 17:39:04 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 28 2013 - 12:00:12 MDT