[squid-users] Re: transparent proxy on remote box issue

Eliezer Croitoru <eliezer <at> ngtech.co.il> writes:

>
> On 11/01/2013 10:30 AM, WorkingMan wrote:
> > I am not using TPROXY. VPN/SQUID are two different servers.
> OK now you mangled everything!!
> try to start from scratch which means design.
> Put the VPN on the same squid server or retry to design the network in a
> way it will work.
> Once you will prepare the network from scratch to work in a basic way we
> can try to dive in into squid and proxy land.
>
> Regards,
> Eliezer
>
>

Are you saying it's not possible to redirect traffic from a VPN
server to a remote SQUID server box with policy based routing without
an actual router (from the wiki it wasn't clear if that's the case or not:
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute)?

I don't like the idea of running SQUID on the VPN server because it won't
scale. If I need to add more SQUID servers how will I route the traffic
(so back to the original problem).

Currently I have this when policy based routing is applied (see full
topology below):
VPN Client -> VPN Server
VPN Server - > Web Site (SQUID's mac), no traffic coming back
retransmit..till timeout

Is it the VPN or the SQUID server dropping the packets (because IP and mac
don't match ARP cache entry)?

I disabled that check in SQUID/VPN (/etc/sysctl.conf)
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

VPN server also has this:
net.ipv4.ip_forward=1

Can you just tell me what I need to do to make this work? It seems we
are back to square one. It would go faster if you tell me everything in one reply
instead of feeding each other with bits of information then
change direction with each new information that comes along.
It's very simple I want this flow to happen.

client (10.100.0.0/16) <-port 500/4500-> VPN server (10.0.0.170)
VPN server (10.0.0.170) <- port 80-> SQUID (10.0.0.117) <--> Default Gateway
(10.0.0.1)
VPN server (10.0.0.170) <- ! port 80-> Default Gateway (10.0.0.1)

I am not sure if http response goes directly to original client or goes
back from the route where it came from so It could be incorrectly drawn above.
I didn't put DNS stuff but VPN resolves the name resolution to DNS (10.0.0.2),
names resolves correctly.

I wonder if the routing table in Amazon's web UI is messing up my iptables.

Thanks,
Received on Fri Nov 01 2013 - 20:43:06 MDT