Hi - With all my time I spend on tproxy ... I finally understood one thing clear, it works fine upto a certain level only in bridge mode. Any other way (snate,nat,routed) you try ... its unstable. I hve tried it from 2.4 - 2.6 kernel version every where it's the same. Regards Rajesh -----Original Message----- From: tproxy-bounces@lists.balabit.hu [mailto:tproxy-bounces@lists.balabit.hu] On Behalf Of tproxy-request@lists.balabit.hu Sent: Friday, August 29, 2008 03:30 To: tproxy@lists.balabit.hu Subject: tproxy Digest, Vol 38, Issue 10 Send tproxy mailing list submissions to tproxy@lists.balabit.hu To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/tproxy or, via email, send a message with subject or body 'help' to tproxy-request@lists.balabit.hu You can reach the person managing the list at tproxy-owner@lists.balabit.hu When replying, please edit your Subject line so it is more specific than "Re: Contents of tproxy digest..." Today's Topics: 1. Re: Clarification on tproxy4 usage (Arun Srinivasan) 2. Re: Clarification on tproxy4 usage (Ming-Ching Tiew) ---------------------------------------------------------------------- Message: 1 Date: Thu, 28 Aug 2008 21:59:48 +0530 From: "Arun Srinivasan" <hi2arun@gmail.com> Subject: Re: [tproxy] Clarification on tproxy4 usage To: "Ming-Ching Tiew" <mingching.tiew@redtone.com> Cc: Tproxy <tproxy@lists.balabit.hu> Message-ID: <d9bf4d8c0808280929h31db713frdec717a6e0c8d0a3@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 I did clear the cache and verified. Also all my iptables policies are ACCEPT by default. However no luck. Btw, could you tell me the latest version of tproxy and iptables that you have verified. So that I could give a shot at it. Thank you. 2008/8/28 Ming-Ching Tiew <mingching.tiew@redtone.com>:
Arun Srinivasan wrote:
Thanks for the quick response.
Yes... the interface name is a typo and it is eth1.
Well, as you said, I killed Squid and did what you said. I could see the pkts getting SNATted.
Also I don't see any issues with routing/iptables as the setup for normal HTTP interception (no tproxy in squid.conf) works fine.
There is also another observation. With tproxy enabled, I could not even connect to a cache_peer that is running on the same host (UML 2). i.e., The squid is configured to connect to another proxy that runs on the same UML 2. But it fails. However, with tproxy disabled, this case also works fine.
Any thoughts?
I hope you will not be offended during this troubleshooting thingie for an experienced person like you however I am trying to rule out every possibility here :-
Did you flush your routing cache when you started without SNAT and then later you added SNAT ? ( Most kernels are compiled to use cached route ! ).
Also what is your iptables policy - perhaps it's good idea to keep policy to ACCEPT in this testing stage. ( Likely that you have already done so ).
Regards.
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
-- Regards, Arun S. ------------------------------ Message: 2 Date: Fri, 29 Aug 2008 05:50:03 +0800 From: Ming-Ching Tiew <mingching.tiew@redtone.com> Subject: Re: [tproxy] Clarification on tproxy4 usage To: Tproxy <tproxy@lists.balabit.hu> Message-ID: <48B71D8B.10209@redtone.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Arun Srinivasan wrote:
I did clear the cache and verified. Also all my iptables policies are ACCEPT by default. However no luck.
Btw, could you tell me the latest version of tproxy and iptables that you have verified. So that I could give a shot at it.
Thank you.
/I used iptables-tproxy-200710091749.diff and tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2 / ------------------------------ _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy End of tproxy Digest, Vol 38, Issue 10 **************************************