Re: [squid-users] Re: IPv6 + Intercept proxy

From: Amos Jeffries <>
Date: Thu, 31 Oct 2013 19:48:40 +1300

On 31/10/2013 9:18 a.m., WorkingMan wrote:
> Mike Cardwell <squid-users <at>> writes:
>> * on the Wed, Oct 23, 2013 at 05:14:00PM +1300, Amos Jeffries wrote:
>>> For starters NAT has never been "transparent proxy". NAT is the lazy
>>> admins replacement, using the proxy IP on outbound to avoid having to
>>> setup proper routing rules.
>>> For the real Transparent Proxy use TPROXY interception ("TPROXY" being
>>> an abbreviation of "transparent proxy"
>> Thanks. I was not aware of TPROXY. That sounds like a superior solution.
> Anyone updated the guide with SQUID 3.3 and newer linux kernel (3.11,ex: with
> ubuntu 13)?
> My coworker said TPROXY way doesn't route the traffic to remote host
> correctly.

True. TPROXY does not do routing at all, which may explain that.

Routing is additional configuration you must setup in the network to
allow TPROXY to do its thing without causing problems.

> He tried this few months ago. I think we need a up to date guide on
> transparent proxy for remote host (with concrete example that works). I
> followed too many guides that don't work.

TPROXY is not routing. It is packet interception, taking a packet from
the kernel TCP stack and delivering it to a local process running on
that machine. Taking packets from that same local process marked with a
special TPROXY flag and allowing them to be routed despite having a src
address of a different machine (spoofing is normally prohibited by the

Simple really. But it places a lot of requirement pressure on the
networking and routing to handle the packets properly.

> The alternative for remote host is policy based routing (if you followed my
> other thread on this for ipv4 but ipv6 should not be too different). But as I
> said before I am not able to make it work.

Unfortunately the policy routing is mandatory whenever there are
alternative routes for the packets to travel over which bypass the
interceptor proxy.

Received on Thu Oct 31 2013 - 06:48:47 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 31 2013 - 12:00:08 MDT