Re: [squid-users] Re: transparent proxy on remote box issue

From: Amos Jeffries <>
Date: Thu, 31 Oct 2013 19:32:12 +1300

On 31/10/2013 7:38 a.m., WorkingMan wrote:
> I hope I can refocus this question to the real problem.
> I am currently have a working VPN setup but once I add my policy routing
> rules it breaks the client's port 80 connection (everything else still good,
> apps still work. I don't any traffic going to my SQUID server.
> First of all I don't use cache. I read
> but it says "Please realize that this just gets the packets to the cache;
> you have to then configure interception on the cache itself to redirect
> traffic to the Squid TCP port!". Do I have to do that if I don't use
> cache (it didn't say what to do)?

"cache" is still used in a lot of places to mean "proxy". This was one
of them.
(I've updated the config wording now.)

> Steps taken:
> #policy routing kernel requirement - OK
> #grep CONFIG_IP_ADVANCED_ROUTER /boot/config-$(uname -r)
> #grep CONFIG_IP_MULTIPLE_TABLES /boot/config-$(uname -r)
> #CONFIG_IP_ROUTE_FWMARK is deprecated in option but enabled by default
> #they say rp_filer can mess up policy routing so disabled it - OK
> /etc/sysctl.conf
> net.ipv4.ip_forward=1
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
> #executed following with my own IPs and table names - breaks connection
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -s $SQUID -j ACCEPT
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
> iptables -t filter -A FORWARD -i eth0 -o eth0 -p tcp --dport 80 -j ACCEPT
> echo "201 http" >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table http
> ip route add default via $SQUID table http
> ip route table list http (OK):
> default via $SQUID dev eth0
> ip route (OK):
> default via dev eth0
> dev eth0 proto kernel scope link src $VPN
> route -n (OK):
> Destination Gateway Genmask Flags Metric Ref Use Iface
> UG 0 0 0 eth0
> U 0 0 0 eth0
> ip rule (OK):
> 0: from all lookup local
> 219: from all fwmark 0x2 lookup http
> 220: from all lookup 220
> 32766: from all lookup main
> 32767: from all lookup default
> The short summary is that once I add
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2
> VPN client's http traffic is broken. I am not able to determine where
> the traffic is lost/dropped/redirected to (nothing showing on SQUID server).

Some questions that might lead you in a useful direction for solving this:
* is eth0 the right interface to be operating with?
   does VPN have an interface of its own with better results?
   is there something special you have to add on top of all this to make
it work over a VPN connection?
(all the testing done so far has been on regular ethernet and wireless

* when the packets go from client to Squid to Internet they are still
labeled by TPROXY as having come from the client IP. What path do they
take back to the client?
    is Squid box with its TPROXY logics on that return path?

Received on Thu Oct 31 2013 - 06:32:23 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 31 2013 - 12:00:08 MDT