[squid-users] Re: transparent proxy on remote box issue from WorkingMan on 2013-10-31 (squid-users)

From: WorkingMan <signup_mail2002_at_yahoo.com>
Date: Thu, 31 Oct 2013 20:52:38 +0000 (UTC)

> I am suspecting something is going on but I am just not seen it in the
logs.
> tshark is not catching anything either by host <IP> or port 3130 on either
> VPN/SQUID. Does the TPROXY way work for SQUID on a remote server because I
> was going to try that next?
>
> ping, dns lookup all seems normal except for port 80 (all apps not using
> port 80 works). with clean.rules set using your suggested rules I see this
> (client can browse but doesn't look like it went to SQUID server at all)
>
> Src: 10.100.0.1 (10.100.0.1, VPN client), Dst: 176.32.98.168 (amazon)
> Src: 10.0.0.170 (10.0.0.170, VPN), Dst: 176.32.98.168 (176.32.98.168)
> Src: 176.32.98.168 (176.32.98.168), Dst: 10.0.0.170 (10.0.0.170)
>
> Let's just say things look normal.
>
> With proxy.rules (policy based routing), I see alot of TCP retransmission
> from VPN client/server to the web server.
>
> 10.0.0.170 -> 157.166.248.10 TCP 78 60440 > http [SYN] Seq=0 Win=65535
Len=0
> MSS=1240 WS=16 TSval=230783310 TSecr=0 SACK_PERM=1
> 10.0.0.170 -> 157.166.248.11 TCP 78 [TCP Retransmission] 60437 > http
[SYN]
> Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783793 TSecr=0 SACK_PERM=1
> 10.100.0.1 -> 157.166.249.10 TCP 78 [TCP Retransmission] 60438 > http
[SYN]
> Seq=0 Win=65535 Len=0 MSS=1240 WS=16 TSval=230783995 TSecr=0 SACK_PERM=1
>
> it does this until it gives up. I hope that rings a bell. I could be
> debugging this wrong and not seen the obvious. There is no trace on SQUID
> server or its log so I assume traffic didn't made it over. On VPN server
> when I do a query to a web site it works which is weird because I thought
it
> should also get routed since all tcp on eth0 ared marked (also no log in
> access.log on squid side so it's not routed).
>
> Thanks,
>
>

Update. Found this, https://forums.gentoo.org/viewtopic-t-932554-start-
0.html, that helped me look at the mac address of the src/dst.

With proxy.rules now with above info I see mac address of the web site is
the mac address of SQUID server. Again I only see one direction traffic
going to the web site. At least we know it's doing something that looks
correct.

With clean.rules, web site's mac address is the gateway/DNS (in my case is
the same mac). I see bidirectional traffic between web site and VPN server.

On SQUID server I have applied 4 rules from this SQUID guide:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

There is no traffic to SQUID using tshark. Nothing in SQUID logs or syslog.
Nothing in VPN's syslog.

Thanks,
Received on Thu Oct 31 2013 - 20:53:11 MDT

This archive was generated by hypermail 2.2.0 : Fri Nov 01 2013 - 12:00:07 MDT