Hi

I am running squid 3.1.15 , kernel version 2.6.32-33-server , Iptables version v1.4.4. I followed the instrcution given on When the client browse using this Squid as gateway, request are getting timed out with following in access.log

1315384947.854 60225 xx.xx.xx.xx TCP_MISS/000 0 GET http://www.google.co.in/url? - DIRECT/www.google.co.in -
1315384949.431 117995 xx.xx.xx.xx TCP_MISS/000 0 GET http://www.google.co.in/url? - DIRECT/www.google.co.in -

where xx.xx.xx.xx are client Public Ips

Following is the squid setup

1) Network configuration

Router ---> squid (eth0 - Public IP) --> Client (Public IP)

sysctl -p
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_forward = 1

cat /boot/config-2.6.32-33-server |grep -E '(NF_CONNTRACK=|TPROXY|XT_MATCH_SOCKET|XT_TARGET_TPROXY)'
CONFIG_NF_CONNTRACK=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m

iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DIVERT     tcp -- anywhere             anywhere            socket
TPROXY     tcp -- anywhere             anywhere            tcp dpt:www TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain DIVERT (1 references)
target     prot opt source               destination
MARK       all -- anywhere             anywhere            MARK xset 0x1/0xffffffff
ACCEPT     all -- anywhere             anywhere

from squid.conf

http_port 3129 tproxy

from dmesg

[62387.197490] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
[62387.197746] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
[62387.197749] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
[62387.197752] sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
[62387.242358] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
[62387.242362] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.

Browsing is happening fine in transparent mode using http_port 3128 transparent..

Please help....

--
Karthik Vembar

“Condemn none: if you can stretch out a helping hand, do so. If you cannot, fold your hands, bless your brothers, and let them go their own way.” Swami Vivekananda