KOVACS Krisztian pisze:
Hi,
Do you have other http_ports defined? Does it change anything if you use
http_port 3128 tproxy
that is, you omit the IP from the listener config?
If not, can you get detailed debug logs from squid?
Well, i should first think, then click 'send'. (i should thind twice, resending to the mailing list) First: I missed 'Missing needed capability /support/. Will /continue without tproxy support/" in my cache log. Afret installing libcap and putting capabilities.h into right place it worked ;) ( kernel: 2.6.28-rc7, iptables: 1.4.3-rc1, gentoo version of squid-2.7-stable4 with patch from https://lists.balabit.hu/pipermail/tproxy/2008-September/000944.html ) Second: My network topology was: |---------| |---------| |-------| | LAN |--| router |--| WAN | |---------| |---------| |-------| | |---------| | tproxy | |---------| i think, that conntrack on router was making something uncool with http downstream, SYN packets were arriving to tproxy box, but i wasn't able to redirect downstream to tproxy box. after upgrading to: |---------| |---------| |---------| |-------| | LAN |--| tproxy |----------| router |--| WAN | |---------| |---------| |---------| |-------| it started to work, but i had some problems with tproxy in bridge mode, after laoding: INSIDE_DEV=eth0 OUTSIDE_DEV=eth1 ebtables -t broute -A BROUTING -i $INSIDE_DEV -p ipv4 \ --ip-protocol tcp --ip-destination-port 80 \ -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i $OUTSIDE_DEV -p ipv4 \ --ip-protocol tcp --ip-source-port 80 \ -j redirect --redirect-target DROP my bridge started to drop ipv4 traffic with src other than 10.0.0.0/8 (br0 has address 10.1.1.46/8, and gw: 10.1.1.201 ) - PPPoE and ARP packets were passing without problems, but other routed ips were dropped.