[squid-users] Re: transparent proxy on remote box issue

> >
> > I have confidence that we can get to the bottom of this with this level
of
> > details.
> > I am currently stuck at this step:
> >
> > VPN Server - > Web Site (SQUID's mac)
> >
> > This was also where I was stuck before. At this point I am simply
issuing a
> > curl
> > www.cnn.com from VPN server (VPN client/SQUID not involved)
> >
> > If I follow: http://www.tldp.org/HOWTO/TransparentProxy-6.html
> > What happens is that it says use DNAT/SNAT + policy routing and that in
the end
> > didn't do any policy routing since MAC address to the web site didn't
point to
> > SQUID's mac address.
>
> Okay please drop that how-to. It is for a completely different network
> topology than your diagram showed.
>
> > If I follow http://wiki.squid-
> > cache.org/ConfigExamples/Intercept/IptablesPolicyRoute.
> > Mac address of web site is SQUID's mac address but somewhere I get
packet loss
> > because it just keeps retransmitting the same http request. I had to add
one
> > extra
> > rule to arrive to this behavior (see below).
>
> There are several use-case configurations in that page.
> You need the one under "When Squid is in a DMZ between the router and
> Internet".
>
> > There is no traffic going to SQUID other than ARP (for getting mac
address).
> >
> > One hint I had was that the traffic are not marked correctly.
> >
> > This line if added (I got it from somewhere online) will change the mac
address
> > of
> > the web site to be the one of SQUID:
> >
> > iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-
mark 2
>
> OUTPUT ??? none of the routing tutorials you have been looking at
> mention doing anything in OUTPUT.
>
> *PREROUTING* table (as in the "before routing" table of rules) is the
> one you should be altering on the VPN server.
>
> - Reset the VPN server config from these changes,
> - go back to
> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute.
> - follow the section "When Squid is in a DMZ between the router and
> Internet"
> - follow the section "Routing Setup"
> - then re-run the 4 tests I outlined for this stage of configuration.
>
> > With that rule:
> > 06:13:38.327212 0a:a5:82:f8:2e:93 (VPN's mac)> 0a:3c:e1:08:45:b7
(SQUID's mac),
> > IPv4, length 74: 10.0.0.170.57525 > 157.166.248.10.80 (web site): tcp 0
> >
> > Without that rule:
> > 06:01:59.823267 0a:a5:82:f8:2e:93 (VPN's mac) > 0a:ee:81:f6:13:ef
(SQUID's
> > mac),
> > IPv4, length 66: 10.0.0.170.43154 > 157.166.249.11.80 (web site): tcp 0
>
> Easily explained. MARK are not set on the packet, they are flags in the
> kernel metadata about a connection.
> I'm doubt if they show up in a tcpdump, but they definitely will not
> leave the machine they are used on.
>
> > On SQUID I followed this: http://wiki.squid-
> > cache.org/ConfigExamples/Intercept/LinuxRedirect
> > There is no traffic going to SQUID according to tshark (unless there is
just
> > not
> > showing up) so we can ignore this for now.
>
> Rewind. That is steaming on way ahead of where things are broken.
>
> Amos
>
>

I followed DMZ + policy routing and it still same result (tested with VPN
client).

*mangle
:PREROUTING ACCEPT [383:47877]
:INPUT ACCEPT [311:32547]
:FORWARD ACCEPT [149:20258]
:OUTPUT ACCEPT [302:67329]
:POSTROUTING ACCEPT [451:87587]
[77:4928] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j MARK --set-xmark
0x2/0xffffffff
[77:4928] -A PREROUTING -m mark --mark 0x2 -j ACCEPT
COMMIT
# Completed on Sat Nov 2 08:30:56 2013
# Generated by iptables-save v1.4.18 on Sat Nov 2 08:30:56 2013
*nat
:PREROUTING ACCEPT [13:864]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [5:354]
:POSTROUTING ACCEPT [0:0]
[18:1218] -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Nov 2 08:30:56 2013
# Generated by iptables-save v1.4.18 on Sat Nov 2 08:30:56 2013
*filter
:INPUT ACCEPT [311:32547]
:FORWARD ACCEPT [149:20258]
:OUTPUT ACCEPT [313:68601]
COMMIT

ip route list table http
default via 10.0.0.117 dev eth0

ip rule show
0: from all lookup local
219: from all fwmark 0x2 lookup http
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default

ip route
default via 10.0.0.1 dev eth0
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.170

Can you make this work on your end?

Thanks,
Received on Sat Nov 02 2013 - 08:46:53 MDT