Re: [squid-users] TProxy Setup

From: Nyamul Hassan <nyamul_at_gmail.com>
Date: Sat, 5 Jul 2014 01:26:24 +0600

> That is the problem then. Something is blocking the traffic arriving at Squid listening port. selinux, rp_filter or ip_forward sysctl settings I usually find are the problem for this, although there have been a few cases where nobody could figure out why this was happening.
>

We might be approaching that magical situation where we do not know
what is happening!

rp_filter is set to 0 for all as follows:

[root_at_proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter
/proc/sys/net/ipv4/conf/all/rp_filter
/proc/sys/net/ipv4/conf/default/rp_filter
/proc/sys/net/ipv4/conf/lo/rp_filter
/proc/sys/net/ipv4/conf/eth0/rp_filter
/proc/sys/net/ipv4/conf/eth1/rp_filter
[root_at_proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {} +
0
0
0
0
0

IP Rule & Route list is as follows:

[root_at_proxy01 ~]# ip rule list
0: from all lookup local
32765: from all fwmark 0x1 lookup squidtproxy
32766: from all lookup main
32767: from all lookup default
[root_at_proxy01 ~]# ip route list table squidtproxy
local default dev eth0 scope host

>
> see the /!\ notes under in the wiki page under the section about setting up the route table.
>
> The interface(s) to attach the table to is the one receiving the packets. From your description I suspect you will have two interfaces - one for each of Rtr1 and Rtr2.
>
> For debugging try setting it for each interfaces receiving traffic and see if TPROXY starts working.
>

While playing with the linux iptables / ip commands, I have come
across an interesting situation.

I modified the mangle rule to "mark as 111", and updated the "ip rule" to show:
32765: from all fwmark 0x6f lookup squidtproxy

All other settings are unchanged.

No other changes were made. Under this situation, my test client was
getting web pages loaded! But, Squid was still not getting any
requests! Seemed like regular routing of traffic! I have checked both
routers, and confirmed that, traffic was passing through SquidBox, but
Squid process was not seeing it. :-/

>
> Great. Thank you for these details. I am creating a Microtik wiki page based on them.
>

If there is anything that I can help you with regarding the Mikrotik
(that's "k" for both characters) wiki page, I would be most obliged.

Regards
HASSAN
Received on Fri Jul 04 2014 - 19:27:11 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 05 2014 - 12:00:04 MDT