Hi Firas,     Your understanding is absolutely correct. Regards, --Chinmay  From: Firas Rasmy <firasrasmy@yahoo.com> Sent: Wed, 03 Jul 2013 04:34:02 To: "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu> Subject: Re: [tproxy] Squid with TProxy Support Thanks a lot for your reply Eliezer! I have another question here regarding the following iptables rules, which are needed to get TPROXY to work: iptables -t mangle -N DIVERTiptables -t mangle -A DIVERT -j MARK --set-mark 1iptables -t mangle -A DIVERT -j ACCEPTiptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129  What is "-m socket" used for? Man page of iptables says that "-m socket" matches if an open socket can be found by doing a socket lookup on the packet. I think the following rule is intended for reply packets coming from web servers to squid (with the spoofed IP address), am I right? If not, please correct me:iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT Best regards,Firas From: Eliezer Croitoru <eliezer@ngtech.co.il> To: tproxy@lists.balabit.hu Sent: Monday, July 1, 2013 11:00 PM Subject: Re: [tproxy] Squid with TProxy Support Centos comes with TPROXY so you don't need to recompile or do anything more then to bundled kernel from CentOS. Take a small peek at this tutorial: http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2 The tutorial have all the working examples that are needed for tproxy with squid. If you will need more help you can try squid-users. Eliezer On 07/01/2013 09:37 PM, Firas Rasmy wrote: > Hello there! > > I'm trying to install squid with TPROXY support. I'm using a Centos 6.4 > (64-bit) with kernel version 2.6.32-358.el6.x86_64 and iptables version > 4.1.7 > > I've followed the instructions in > http://wiki.squid-cache.org/Features/Tproxy4 but unfortunately > connecting to any website from a client with Chrome browser fails with > this error: > Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection > without sending any data. > > When trying to telnet squid on port 80, I get a connection but the > connection is closed once I hit any key! I think packets are being > redirected to squid successfully because if I stop squid, there would be > no connections at all. Do you have any idea of what might be the reason? > > Another question, I have checked that my current kernel was already > built with those options: > NF_CONNTRACK=m > NETFILTER_TPROXY=m > NETFILTER_XT_MATCH_SOCKET=m > NETFILTER_XT_TARGET_TPROXY=m > > Do I still have to recompile it with patches from > http://www.balabit.com/downloads/files/tproxy/? > There are no patches available for this current version. What about > iptables? Do I need to patch it? > > My last question is: TPROXY target in the mangle table is not supposed > to change anything in the packet header, how the packets with TPROXY > target would be redirected to --on-port if the IP header is untouched?! > > Thanks a lot for your help! > > Best regards, > Firas > > > _______________________________________________ > tproxy mailing list > tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu > https://lists.balabit.hu/mailman/listinfo/tproxy > _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy