[tproxy] Tproxy request getting timed-out

8 Sep 2011

      Hi

I am running squid 3.1.15 , kernel version 2.6.32-33-server , Iptables
version v1.4.4. I followed the instrcution given on When the client browse
using this Squid as gateway, request are getting timed out with following in
access.log

1315384947.854  60225 xx.xx.xx.xx TCP_MISS/000 0 GET
http://www.google.co.in/url? - DIRECT/www.google.co.in -
1315384949.431 117995 xx.xx.xx.xx TCP_MISS/000 0 GET
http://www.google.co.in/url? - DIRECT/www.google.co.in -

where xx.xx.xx.xx are client Public Ips

Following is the squid setup

1) Network configuration

Router ---> squid (eth0 - Public IP) --> Client (Public IP)

sysctl -p
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_forward = 1

cat /boot/config-2.6.32-33-server |grep -E
'(NF_CONNTRACK=|TPROXY|XT_MATCH_SOCKET|XT_TARGET_TPROXY)'
CONFIG_NF_CONNTRACK=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m

iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DIVERT     tcp  --  anywhere             anywhere            socket
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain DIVERT (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere            MARK xset
0x1/0xffffffff
ACCEPT     all  --  anywhere             anywhere

from squid.conf

http_port 3129 tproxy

from dmesg

[62387.197490] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
[62387.197746] CONFIG_NF_CT_ACCT is deprecated and will be removed soon.
Please use
[62387.197749] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack
module option or
[62387.197752] sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
[62387.242358] NF_TPROXY: Transparent proxy support initialized, version
4.1.0
[62387.242362] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.

Browsing is happening fine in transparent mode using http_port 3128
transparent..

Please help....

-- 
Karthik Vembar

“Condemn none: if you can stretch out a helping hand, do so. If you cannot,
fold your hands, bless your brothers, and let them go their own way.” Swami
Vivekananda