Hi Uenal, I tried the steps that you specified but that didn't help. I already had most of the steps except the one for the nonlocal bind. But I still don't see any packets getting to squid. Can someone explain to me what the following two command are suppose to achieve? I am a little confused on that. I think the second command especially is not correct for my setup, because as soon as I issue it all HTTP traffic stops from getting to the internet. ip -f inet rule add fwmark 111 lookup 100 ip -f inet route add local default dev lo table 100 Thanks, Carvaka On Thu, Feb 26, 2015 at 12:03 PM, U.Mutlu <for-forums@mutluit.com> wrote:
Hello,
did you do these steps on the tproxy-host? :
do_set_as_router() { for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 >$f ; done echo 1 >/proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/forwarding ; do echo 1 >$f ; done echo 1 >/proc/sys/net/ipv4/ip_nonlocal_bind for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do echo 1 >$f ; done for f in /proc/sys/net/ipv4/conf/*/proxy_arp ; do echo 1 >$f ; done }
cu Uenal
Carvaka Guru wrote, On 02/25/2015 08:40 PM:
Yes, I did and tried the recommendations there too but that is a much more complicated setup.
Mine is a simple setup where I have a client PC (192.168.25.107) connected directly to my linux firewall router on eth1 (192.168.25.1). The eth0 (10.1.20.204) of the router is connected to the internet.
Router has - 1. squid3 3.4.8 2. iptables 1.4.14 3. libcap2 4. libcap2-dev
Squid config has the directive - http_port 3128 tproxy
iptables is setup with the following directives -
iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -o eth0 MASQUERADE
iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 111 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp --match socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --match multiport --dport http,http-alt -j TPROXY --on-port 3128 --tproxy-mark 111
routing config is - ip -f inet rule add fwmark 111 lookup 100 ip -f inet route add local default dev lo table 100
The moment I add the second line (ip route), all HTTP traffic gets black-holed. Not sure where it is going.
I have enabled logging in Squid "ALL,2" which usually shows detailed traffic traversing through squid but with this setup, nothing!
On Wed, Feb 25, 2015 at 1:03 PM, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:
Hey Carvaka,
Did you had the chance to read this article: http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
Thanks, Eliezer
On 25/02/2015 19:15, Carvaka Guru wrote:
I am building a simple linux firewall router with eth1 LAN port and eth0 WAN port. I have squid3 running on it that I have built with netfilter enabled. The linux version running on the firewall is debian wheezy which has iptables with TPROXY and socket support.
By setting up the iptables to send traffic to squid3 using the original nat prerouting REDIRECT method everything works fine but I can't get the TPROXY method to work. I followed all the steps outlined in http://wiki.squid-cache.org/Features/Tproxy4 but no traffic gets to squid3. In fact all HTTP traffic goes into some hole as soon as I issue the followng two routing commands -
ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
Without these two commands the HTTP traffic goes through but never gets routed to squid3.
I think the "ip route" command is the culprit but I don't know why or what to change it to?
Any suggestions, help would be much appreciated.
Thanks, carvaka
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy