Re: [squid-users] TProxy Setup

I apologize Eliezer if my words meant that Squid in general was
flawed. On the contrary, we have been using Squid 2 for almost 6
years over multiple proxies, and have only found it to be among the
exceptional open source softwares out there. And, the community
behind Squid also compares to the top few in the open source world.

What I meant was, perhaps the version of Squid that I am using (3.4.6)
has some changes that might have caused the TProxy to break
temporarily.

I'll have a go with other older versions and check further.

Wish me luck!

Regards
HASSAN

On Sat, Jul 5, 2014 at 8:12 AM, Eliezer Croitoru <eliezer_at_ngtech.co.il> wrote:
> Hey,
>
> I am not sure if you understand you question which is:
> "I have a software that works on many many many many systems around the
> world, Why is it not working for me? because of the setup or because of the
> software?"
>
> I would not say that computers are saints or that software are perfect but
> since I can use the proxy for so many systems and it works fine..
> I raise the question: "What is going on on your system setup?"
> If you will understand that something is wrong but not from squid side you
> will be open to understand that something is wrongly configured.
> I Tried to understand your network diagram but I cannot read it well(sorry
> my bad).
> If you can describe the setup in words I will try again to understand it.
> I will try to build a setup with a mikrotik device to try and help you and
> others that doesn't happen to make it work.
>
> Eliezer
>
>
> On 07/05/2014 12:02 AM, Nyamul Hassan wrote:
>>
>> Dear Amos,
>>
>> We just found a small software:
>> https://github.com/kristrev/tproxy-example
>>
>> As the author put it:
>> The example transparent proxy application accepts TCP connections on
>> the specified port (set to 9876 in tproxy_test.h) and attempts a TCP
>> connection to the original host. If it is successful, the application
>> starts forwarding data between the two connections (using splice()).
>>
>> So, we compiled it and ran it, on port 9876. Then changed the
>> iptables mangle rules WITH ONLY the port 9876, all others remaining as
>> they were.
>>
>> Everything is working perfectly! So, is it safe to assume that
>> iptables & kernel is working perfectly? That there is a problem in
>> Squid?
>>
>> Regards
>> HASSAN
>>
>>
>>
>> On Sat, Jul 5, 2014 at 1:26 AM, Nyamul Hassan<nyamul_at_gmail.com> wrote:
>>>>
>>>> >>That is the problem then. Something is blocking the traffic arriving
>>>> >> at Squid listening port. selinux, rp_filter or ip_forward sysctl settings I
>>>> >> usually find are the problem for this, although there have been a few cases
>>>> >> where nobody could figure out why this was happening.
>>>> >>
>>>
>>> >
>>> >We might be approaching that magical situation where we do not know
>>> >what is happening!
>>> >
>>> >rp_filter is set to 0 for all as follows:
>>> >
>>> >[root_at_proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter
>>> >/proc/sys/net/ipv4/conf/all/rp_filter
>>> >/proc/sys/net/ipv4/conf/default/rp_filter
>>> >/proc/sys/net/ipv4/conf/lo/rp_filter
>>> >/proc/sys/net/ipv4/conf/eth0/rp_filter
>>> >/proc/sys/net/ipv4/conf/eth1/rp_filter
>>> >[root_at_proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {}
>>> > +
>>> >0
>>> >0
>>> >0
>>> >0
>>> >0
>>> >
>>> >IP Rule & Route list is as follows:
>>> >
>>> >[root_at_proxy01 ~]# ip rule list
>>> >0: from all lookup local
>>> >32765: from all fwmark 0x1 lookup squidtproxy
>>> >32766: from all lookup main
>>> >32767: from all lookup default
>>> >[root_at_proxy01 ~]# ip route list table squidtproxy
>>> >local default dev eth0 scope host
>>> >
>>>>
>>>> >>
>>>> >>see the /!\ notes under in the wiki page under the section about
>>>> >> setting up the route table.
>>>> >>
>>>> >>The interface(s) to attach the table to is the one receiving the
>>>> >> packets. From your description I suspect you will have two interfaces - one
>>>> >> for each of Rtr1 and Rtr2.
>>>> >>
>>>> >>For debugging try setting it for each interfaces receiving traffic and
>>>> >> see if TPROXY starts working.
>>>> >>
>>>
>>> >
>>> >While playing with the linux iptables / ip commands, I have come
>>> >across an interesting situation.
>>> >
>>> >I modified the mangle rule to "mark as 111", and updated the "ip rule"
>>> > to show:
>>> >32765: from all fwmark 0x6f lookup squidtproxy
>>> >
>>> >All other settings are unchanged.
>>> >
>>> >No other changes were made. Under this situation, my test client was
>>> >getting web pages loaded! But, Squid was still not getting any
>>> >requests! Seemed like regular routing of traffic! I have checked both
>>> >routers, and confirmed that, traffic was passing through SquidBox, but
>>> >Squid process was not seeing it. :-/
>>> >
>>> >
>>>>
>>>> >>
>>>> >>Great. Thank you for these details. I am creating a Microtik wiki page
>>>> >> based on them.
>>>> >>
>>>
>>> >
>>> >If there is anything that I can help you with regarding the Mikrotik
>>> >(that's "k" for both characters) wiki page, I would be most obliged.
>>> >
>>> >Regards
>>> >HASSAN
>
>
Received on Sat Jul 05 2014 - 14:16:21 MDT