Re: [squid-users] Re: transparent proxy on remote box issue from Eliezer Croitoru on 2013-11-02 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Sun, 03 Nov 2013 05:56:31 +0200

Hey there,

Man you need to understand something.
Your basic routing doesn't help in any way.
In your case you should have a network which is a simple thing...
I do not rembebr the machine settings but once you have a strickt
"default via IP"
the packets should flow throw this host.
try to make sure first that ICMP packet flows from one machine to the other.
Then and only then try to make the packet flow from let say:
VPN->MAIN-GW
then try to access the internet and see what happens on both GW and VPN
machines.
you do have 10.0.0.1/24 as a Default GW so try to reach from 10.0.0.170
using 10.0.0.1 to the internet let say to google or yahoo or even my
site.. ngtech.co.il.

this basic network setup should work if configured properly and if the
network infrastructure supports it.
If even one of all the above is not met you will not succed and then you
we will be back to routing which we can try to help but it means you
have a way ahead before making squid work.
can you by any chance remove all these mark setting and go back to
routing just to make the basic setup work as it suppose to?
And also the OUTPUT is another step after all the traffic to and from
the internet back to this host is working..

Eliezer

On 11/02/2013 10:46 AM, WorkingMan wrote:
> I followed DMZ + policy routing and it still same result (tested with VPN
> client).
>
> *mangle
> :PREROUTING ACCEPT [383:47877]
> :INPUT ACCEPT [311:32547]
> :FORWARD ACCEPT [149:20258]
> :OUTPUT ACCEPT [302:67329]
> :POSTROUTING ACCEPT [451:87587]
> [77:4928] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j MARK --set-xmark
> 0x2/0xffffffff
> [77:4928] -A PREROUTING -m mark --mark 0x2 -j ACCEPT
> COMMIT
> # Completed on Sat Nov 2 08:30:56 2013
> # Generated by iptables-save v1.4.18 on Sat Nov 2 08:30:56 2013
> *nat
> :PREROUTING ACCEPT [13:864]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [5:354]
> :POSTROUTING ACCEPT [0:0]
> [18:1218] -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Sat Nov 2 08:30:56 2013
> # Generated by iptables-save v1.4.18 on Sat Nov 2 08:30:56 2013
> *filter
> :INPUT ACCEPT [311:32547]
> :FORWARD ACCEPT [149:20258]
> :OUTPUT ACCEPT [313:68601]
> COMMIT
>
> ip route list table http
> default via 10.0.0.117 dev eth0
>
> ip rule show
> 0: from all lookup local
> 219: from all fwmark 0x2 lookup http
> 220: from all lookup 220
> 32766: from all lookup main
> 32767: from all lookup default
>
> ip route
> default via 10.0.0.1 dev eth0
> 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.170
>
> Can you make this work on your end?
>
> Thanks,
Received on Sun Nov 03 2013 - 03:57:02 MST

This archive was generated by hypermail 2.2.0 : Sun Nov 03 2013 - 12:00:04 MST