<div dir="ltr"><div><div><div><div>Hi Uenal, <br><br></div>I tried the steps that you specified but that didn't help. I already had most of the steps except the one for the nonlocal bind. But I still don't see any packets getting to squid. <br><br></div>Can someone explain to me what the following two command are suppose to achieve? I am a little confused on that. I think the second command especially is not correct for my setup, because as soon as I issue it all HTTP traffic stops from getting to the internet. <br><br>ip -f inet rule add fwmark 111 lookup 100<br>ip -f inet route add local default dev lo table 100<br><br></div>Thanks,<br></div>Carvaka<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 26, 2015 at 12:03 PM, U.Mutlu <span dir="ltr"><<a href="mailto:for-forums@mutluit.com" target="_blank">for-forums@mutluit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
did you do these steps on the tproxy-host? :<br>
<br>
do_set_as_router()<br>
{<br>
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 >$f ; done<br>
echo 1 >/proc/sys/net/ipv4/ip_forward<br>
for f in /proc/sys/net/ipv4/conf/*/forwarding ; do echo 1 >$f ; done<br>
echo 1 >/proc/sys/net/ipv4/ip_nonlocal_bind<br>
for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do echo 1 >$f ; done<br>
for f in /proc/sys/net/ipv4/conf/*/proxy_arp ; do echo 1 >$f ; done<br>
}<br>
<br>
cu<br>
Uenal<br>
<br>
<br>
Carvaka Guru wrote, On 02/25/2015 08:40 PM:<br>
<div class="HOEnZb"><div class="h5">> Yes, I did and tried the recommendations there too but that is a much more<br>
> complicated setup.<br>
><br>
> Mine is a simple setup where I have a client PC (192.168.25.107) connected<br>
> directly to my linux firewall router on eth1 (192.168.25.1). The eth0<br>
> (10.1.20.204) of the router is connected to the internet.<br>
><br>
> Router has -<br>
> 1. squid3 3.4.8<br>
> 2. iptables 1.4.14<br>
> 3. libcap2<br>
> 4. libcap2-dev<br>
><br>
> Squid config has the directive -<br>
> http_port 3128 tproxy<br>
><br>
> iptables is setup with the following directives -<br>
><br>
> iptables -P INPUT ACCEPT<br>
> iptables -P FORWARD ACCEPT<br>
> iptables -P OUTPUT ACCEPT<br>
><br>
> iptables -t nat -A POSTROUTING -o eth0 MASQUERADE<br>
><br>
> iptables -t mangle -N DIVERT<br>
> iptables -t mangle -A DIVERT -j MARK --set-mark 111<br>
> iptables -t mangle -A DIVERT -j ACCEPT<br>
> iptables -t mangle -A PREROUTING -p tcp --match socket -j DIVERT<br>
><br>
> iptables -t mangle -A PREROUTING -p tcp --match multiport --dport<br>
> http,http-alt -j TPROXY --on-port 3128 --tproxy-mark 111<br>
><br>
> routing config is -<br>
> ip -f inet rule add fwmark 111 lookup 100<br>
> ip -f inet route add local default dev lo table 100<br>
><br>
> The moment I add the second line (ip route), all HTTP traffic gets<br>
> black-holed. Not sure where it is going.<br>
><br>
> I have enabled logging in Squid "ALL,2" which usually shows detailed<br>
> traffic traversing through squid but with this setup, nothing!<br>
><br>
><br>
><br>
><br>
> On Wed, Feb 25, 2015 at 1:03 PM, Eliezer Croitoru <<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a>><br>
> wrote:<br>
><br>
>> Hey Carvaka,<br>
>><br>
>> Did you had the chance to read this article:<br>
>> <a href="http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2" target="_blank">http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2</a><br>
>><br>
>> Thanks,<br>
>> Eliezer<br>
>><br>
>> On 25/02/2015 19:15, Carvaka Guru wrote:<br>
>>> I am building a simple linux firewall router with eth1 LAN port and eth0<br>
>>> WAN port. I have squid3 running on it that I have built with netfilter<br>
>>> enabled. The linux version running on the firewall is debian wheezy which<br>
>>> has iptables with TPROXY and socket support.<br>
>>><br>
>>> By setting up the iptables to send traffic to squid3 using the original<br>
>> nat<br>
>>> prerouting REDIRECT method everything works fine but I can't get the<br>
>> TPROXY<br>
>>> method to work. I followed all the steps outlined in<br>
>>> <a href="http://wiki.squid-cache.org/Features/Tproxy4" target="_blank">http://wiki.squid-cache.org/Features/Tproxy4</a> but no traffic gets to<br>
>> squid3.<br>
>>> In fact all HTTP traffic goes into some hole as soon as I issue the<br>
>>> followng two routing commands -<br>
>>><br>
>>> ip rule add fwmark 1 lookup 100<br>
>>> ip route add local <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dev lo table 100<br>
>>><br>
>>> Without these two commands the HTTP traffic goes through but never gets<br>
>>> routed to squid3.<br>
>>><br>
>>> I think the "ip route" command is the culprit but I don't know why or<br>
>> what<br>
>>> to change it to?<br>
>>><br>
>>> Any suggestions, help would be much appreciated.<br>
>>><br>
>>> Thanks,<br>
>>> carvaka<br>
>>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> tproxy mailing list<br>
>> <a href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a><br>
>> <a href="https://lists.balabit.hu/mailman/listinfo/tproxy" target="_blank">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>
>><br>
><br>
><br>
><br>
> _______________________________________________<br>
> tproxy mailing list<br>
> <a href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a><br>
> <a href="https://lists.balabit.hu/mailman/listinfo/tproxy" target="_blank">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>
><br>
<br>
_______________________________________________<br>
tproxy mailing list<br>
<a href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a><br>
<a href="https://lists.balabit.hu/mailman/listinfo/tproxy" target="_blank">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>
</div></div></blockquote></div><br></div>