[squid-users] Re: transparent proxy on remote box issue from WorkingMan on 2013-10-30 (squid-users)

From: WorkingMan <signup_mail2002_at_yahoo.com>
Date: Wed, 30 Oct 2013 18:38:36 +0000 (UTC)

I hope I can refocus this question to the real problem.

I am currently have a working VPN setup but once I add my policy routing
rules it breaks the client's port 80 connection (everything else still good,
apps still work. I don't any traffic going to my SQUID server.

First of all I don't use cache. I read
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
but it says "Please realize that this just gets the packets to the cache;
you have to then configure interception on the cache itself to redirect
traffic to the Squid TCP port!". Do I have to do that if I don't use
cache (it didn't say what to do)?

Steps taken:

#policy routing kernel requirement - OK
#grep CONFIG_IP_ADVANCED_ROUTER /boot/config-$(uname -r)
#grep CONFIG_IP_MULTIPLE_TABLES /boot/config-$(uname -r)
#CONFIG_IP_ROUTE_FWMARK is deprecated in option but enabled by default

#they say rp_filer can mess up policy routing so disabled it - OK
/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

#executed following with my own IPs and table names - breaks connection

iptables -t mangle -A PREROUTING -p tcp --dport 80 -s $SQUID -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth0 -p tcp --dport 80 -j ACCEPT
echo "201 http" >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table http
ip route add default via $SQUID table http

ip route table list http (OK):

default via $SQUID dev eth0

ip route (OK):

default via 10.0.0.1 dev eth0
10.0.0.0/24 dev eth0 proto kernel scope link src $VPN

route -n (OK):

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

ip rule (OK):

0: from all lookup local
219: from all fwmark 0x2 lookup http
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default

The short summary is that once I add

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2

VPN client's http traffic is broken. I am not able to determine where
the traffic is lost/dropped/redirected to (nothing showing on SQUID server).
Received on Wed Oct 30 2013 - 18:39:01 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 31 2013 - 12:00:08 MDT