Hi<br><br>I am running squid 3.1.15 , kernel version 2.6.32-33-server , Iptables version v1.4.4. I followed the instrcution given on When the client browse using this Squid as gateway, request are getting timed out with following in access.log<br>
<br>1315384947.854 60225 xx.xx.xx.xx TCP_MISS/000 0 GET <a href="http://www.google.co.in/url">http://www.google.co.in/url</a>? - DIRECT/<a href="http://www.google.co.in">www.google.co.in</a> -<br>1315384949.431 117995 xx.xx.xx.xx TCP_MISS/000 0 GET <a href="http://www.google.co.in/url">http://www.google.co.in/url</a>? - DIRECT/<a href="http://www.google.co.in">www.google.co.in</a> -<br>
<br>where xx.xx.xx.xx are client Public Ips<br><br>Following is the squid setup<br><br>1) Network configuration<br><br>Router ---> squid (eth0 - Public IP) --> Client (Public IP)<br><br>sysctl -p<br>net.ipv4.conf.default.rp_filter = 1<br>
net.ipv4.ip_forward = 1<br><br>cat /boot/config-2.6.32-33-server |grep -E '(NF_CONNTRACK=|TPROXY|XT_MATCH_SOCKET|XT_TARGET_TPROXY)' <br>CONFIG_NF_CONNTRACK=m<br>CONFIG_NETFILTER_TPROXY=m<br>CONFIG_NETFILTER_XT_TARGET_TPROXY=m<br>
CONFIG_NETFILTER_XT_MATCH_SOCKET=m<br><br><br>iptables -L -t mangle<br>Chain PREROUTING (policy ACCEPT)<br>target prot opt source destination <br>DIVERT tcp -- anywhere anywhere socket <br>
TPROXY tcp -- anywhere anywhere tcp dpt:www TPROXY redirect <a href="http://0.0.0.0:3129">0.0.0.0:3129</a> mark 0x1/0x1<br><br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination <br>
<br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination <br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination <br><br>Chain POSTROUTING (policy ACCEPT)<br>
target prot opt source destination <br><br>Chain DIVERT (1 references)<br>target prot opt source destination <br>MARK all -- anywhere anywhere MARK xset 0x1/0xffffffff <br>
ACCEPT all -- anywhere anywhere <br><br><br>from squid.conf<br><br>http_port 3129 tproxy<br><br>from dmesg<br><br>[62387.197490] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)<br>[62387.197746] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use<br>
[62387.197749] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or<br>[62387.197752] sysctl net.netfilter.nf_conntrack_acct=1 to enable it.<br>[62387.242358] NF_TPROXY: Transparent proxy support initialized, version 4.1.0<br>
[62387.242362] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.<br><br>Browsing is happening fine in transparent mode using http_port 3128 transparent..<br><br>Please help....<br><br clear="all"><br>-- <br>Karthik Vembar<br>
<br><br>“Condemn none: if you can stretch out a helping hand, do so. If you cannot, fold your hands, bless your brothers, and let them go their own way.” Swami Vivekananda<br>