<div dir="ltr"><div>Yes, I did and tried the recommendations there too but that is a much more complicated setup. <br></div><div><br></div><div>Mine is a simple setup where I have a client PC (192.168.25.107) connected directly to my linux firewall router on eth1 (192.168.25.1). The eth0 (10.1.20.204) of the router is connected to the internet. </div><div><br></div><div>Router has - </div><div>1. squid3 3.4.8</div><div>2. iptables 1.4.14</div><div>3. libcap2</div><div>4. libcap2-dev</div><div><br></div><div>Squid config has the directive - </div><div style="margin-left:40px">http_port 3128 tproxy </div><div class="gmail_extra"><br></div><div class="gmail_extra">iptables is setup with the following directives - </div><div class="gmail_extra"><br></div><div style="margin-left:40px" class="gmail_extra">iptables -P INPUT ACCEPT</div><div class="gmail_extra"><div style="margin-left:40px" class="gmail_extra">iptables -P FORWARD ACCEPT</div><div style="margin-left:40px"><div class="gmail_extra">iptables -P OUTPUT ACCEPT</div></div><div style="margin-left:40px"><br></div><div style="margin-left:40px">iptables -t nat -A POSTROUTING -o eth0 MASQUERADE</div><div style="margin-left:40px"><br></div><div><div style="margin-left:40px">iptables -t mangle -N DIVERT<br>iptables -t mangle -A DIVERT -j MARK --set-mark 111<br>iptables -t mangle -A DIVERT -j ACCEPT<br>iptables -t mangle -A PREROUTING -p tcp --match socket -j DIVERT<br><br>iptables -t mangle -A PREROUTING -p tcp --match multiport --dport http,http-alt -j TPROXY --on-port 3128 --tproxy-mark 111<br></div><br></div></div><div class="gmail_extra">routing config is - <br></div><div class="gmail_extra"><div style="margin-left:40px">ip -f inet rule add fwmark 111 lookup 100<br></div><div style="margin-left:40px">ip -f inet route add local default dev lo table 100<br></div><br></div><div class="gmail_extra">The moment I add the second line (ip route), all HTTP traffic gets black-holed. Not sure where it is going. <br><br></div><div class="gmail_extra">I have enabled logging in Squid "ALL,2" which usually shows detailed traffic traversing through squid but with this setup, nothing!<br><br></div><div class="gmail_extra"><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 25, 2015 at 1:03 PM, Eliezer Croitoru <span dir="ltr"><<a href="mailto:eliezer@ngtech.co.il" target="_blank">eliezer@ngtech.co.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hey Carvaka,<br>
<br>
Did you had the chance to read this article:<br>
<a href="http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2" target="_blank">http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2</a><br>
<br>
Thanks,<br>
Eliezer<br>
<div><div><br>
On 25/02/2015 19:15, Carvaka Guru wrote:<br>
> I am building a simple linux firewall router with eth1 LAN port and eth0<br>
> WAN port. I have squid3 running on it that I have built with netfilter<br>
> enabled. The linux version running on the firewall is debian wheezy which<br>
> has iptables with TPROXY and socket support.<br>
><br>
> By setting up the iptables to send traffic to squid3 using the original nat<br>
> prerouting REDIRECT method everything works fine but I can't get the TPROXY<br>
> method to work. I followed all the steps outlined in<br>
> <a href="http://wiki.squid-cache.org/Features/Tproxy4" target="_blank">http://wiki.squid-cache.org/Features/Tproxy4</a> but no traffic gets to squid3.<br>
> In fact all HTTP traffic goes into some hole as soon as I issue the<br>
> followng two routing commands -<br>
><br>
> ip rule add fwmark 1 lookup 100<br>
> ip route add local <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dev lo table 100<br>
><br>
> Without these two commands the HTTP traffic goes through but never gets<br>
> routed to squid3.<br>
><br>
> I think the "ip route" command is the culprit but I don't know why or what<br>
> to change it to?<br>
><br>
> Any suggestions, help would be much appreciated.<br>
><br>
> Thanks,<br>
> carvaka<br>
><br>
<br>
<br>
</div></div>_______________________________________________<br>
tproxy mailing list<br>
<a href="mailto:tproxy@lists.balabit.hu" target="_blank">tproxy@lists.balabit.hu</a><br>
<a href="https://lists.balabit.hu/mailman/listinfo/tproxy" target="_blank">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>
</blockquote></div><br></div></div>