admin@abp.pl wrote:
Hello,
I'm using Squid Cache: Version 2.6.STABLE18
Is there posibility to use it as fully transprent proxy (with tproxy) but without bridging interfaces?
My topology:
[router 0]---[Internet] | | [===switch=======================] | | | [squid] [ router a ][ router b ] .....
to routers a,b... are connected clients. On that routers I have DNAT --to-destiation squid:80
On squid machine i have 2.6.25-rc7 kernel and Squid with patches from http://people.balabit.hu/panther/tproxy/.
And: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 -on-port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
squid.conf: .. http_port 3128 transparent tproxy tcp_outgoing_address [machine ip] ..
When I test this configuration webservers logs connection from clients from routers a,b... with ip of squid machine. So tproxy doesnt' work.
Can I fix it?
PS. It's urgent for me, please help;) Regards, Tomasz
Well among all things you have at least gotten to patch the 2.6.25-rc7 kernel. Good ! That's a big step better than just ***STARE*** at the patch and refuse to use use it and then start asking all sorts of question about where is the correct patch ! :-) There are two main problems which you will have to deal with :- 1. It appears to me that you haven't patched squid. You need to patch squid to use it with tproxy-4.1.0. And that has been mentioned so many times in this maillist. My guess it that you were able to surf the net from the clients despite failing to spoof the clients IP because you had not patched squid ( sounds ironical isn't it ? ) If you had patched squid correctly, you can't even browse from the clients, as squid would have spoofed the IP of the clients, and in your setup, the http return packets from router0 will not get a chance to return back to squid, and that will result you getting a hanged http request. That leads to second point I want to make. 2. I am not saying doing tproxy without bridging is impossible but you have not demonstrated that you have attempted to solve the return path problem mentioned above. Until you have become an advance user, may I know what is stopping you to make the squid box a bridge ? Cheers.