Thanks to Michael for this help,<br><br>I've got a working install of Slackware 13 going and have squid running when I set it manually but TPROXY still results in a hanging connection. This is a bridged setup and I've done the ebtables rules but it doesnt seem to be doing the trick.<br>
<br>Is there anyone here who has a working bridged setup?<br><br>Regards<br><br>Tristram<br><br><div class="gmail_quote">On 8 March 2010 17:02, Michael 'Moose' Dinn <span dir="ltr"><<a href="mailto:michael.dinn@airfire.ca">michael.dinn@airfire.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><br>
<br>
We're doing it in router mode, and it's pretty darn easy.<br>
<div class="im"><br>
> Were you doing it in a bridge or in router "mode" and did you follow any<br>
> guides/outlines of what to do?<br>
<br>
</div>get squid running non-transparently first so you can configure a browser to<br>
point at it. that means all your ACLs are correct.<br>
<br>
add to squid.conf:<br>
<br>
http_port 3129 tproxy<br>
<br>
<br>
and restart squid<br>
<br>
<br>
then, after you get the latest iptables, run:<br>
<br>
<br>
/sbin/ip rule add fwmark 1 lookup 100<br>
/sbin/ip route add local <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dev lo table 100<br>
<br>
/usr/sbin/iptables -F -t mangle<br>
/usr/sbin/iptables -t mangle -N MDIVERT<br>
/usr/sbin/iptables -t mangle -A MDIVERT -j MARK --set-mark 1<br>
/usr/sbin/iptables -t mangle -A MDIVERT -j ACCEPT<br>
<br>
#Use DIVERT to prevent existing connections going through TPROXY twice:<br>
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j MDIVERT<br>
<br>
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp -s <a href="http://SOURCE.IP.RANGE.TO/PROXY" target="_blank">SOURCE.IP.RANGE.TO/PROXY</a> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129<br>
<br>
<br>
replace the "<a href="http://source.ip.range.to/proxy" target="_blank">source.ip.range.to/proxy</a>" with whatever your proxy-able address<br>
space is and you're good to go.<br>
<br>
enjoy!<br>
<br>
<br>
</blockquote></div><br>