Tproxy + squid + Wccp verion 2 + FC5 Does it really work
Hello, I had been struggling for almost a month trying to make tproxy + Squid + Wccp work for me but all my effort gives me only "2007/05/28 11:50:30| tproxy ip=xxx.xxx.xxx.xxx,0x2e11c87a,port=0 ERROR ASSIGN". And I can only see my squid ip with www.dnsstuff.com & www.tracert.com. Please can anyone help me with the correct method & steps to make it work for me ? Regards Rajesh -----Original Message----- From: tproxy-bounces@lists.balabit.hu [mailto:tproxy-bounces@lists.balabit.hu] On Behalf Of tproxy-request@lists.balabit.hu Sent: Sunday, May 27, 2007 3:30 PM To: tproxy@lists.balabit.hu Subject: tproxy Digest, Vol 23, Issue 5 Send tproxy mailing list submissions to tproxy@lists.balabit.hu To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/tproxy or, via email, send a message with subject or body 'help' to tproxy-request@lists.balabit.hu You can reach the person managing the list at tproxy-owner@lists.balabit.hu When replying, please edit your Subject line so it is more specific than "Re: Contents of tproxy digest..." Today's Topics: 1. Re: The future of tproxy (Jan Engelhardt) 2. Re: The future of tproxy (Igmar Palsenberg) 3. Re: The future of tproxy (Jan Engelhardt) 4. Re: The future of tproxy (Balazs Scheidler) ---------------------------------------------------------------------- Message: 1 Date: Sat, 26 May 2007 21:16:38 +0200 (MEST) From: Jan Engelhardt <jengelh@linux01.gwdg.de> Subject: Re: [tproxy] The future of tproxy To: Balazs Scheidler <bazsi@balabit.hu> Cc: Nicholas George <nick.george@gmail.com>, tproxy@lists.balabit.hu Message-ID: <Pine.LNX.4.61.0705262114160.7344@yvahk01.tjqt.qr> Content-Type: TEXT/PLAIN; charset=US-ASCII On May 26 2007 07:36, Balazs Scheidler wrote:
What are your future plans for TPROXY? I noticed that there's no plan for NAT in ipv6tables, so are you looking to move away from a NAT approach? Are you considering migrating towards Network Channels?
We definitely want to move away from NAT, and we don't plan to migrate towards network channels. (at least for now).
But how is one supposed to fake addresses then? -- most prominent case: squid Jan -- ------------------------------ Message: 2 Date: Sat, 26 May 2007 22:32:06 +0200 (CEST) From: Igmar Palsenberg <maillist@jdimedia.nl> Subject: Re: [tproxy] The future of tproxy To: Jan Engelhardt <jengelh@linux01.gwdg.de> Cc: Balazs Scheidler <bazsi@balabit.hu>, Nicholas George <nick.george@gmail.com>, tproxy@lists.balabit.hu Message-ID: <Pine.LNX.4.64.0705262231210.30518@jdi.jdi-ict.nl> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
We definitely want to move away from NAT, and we don't plan to migrate towards network channels. (at least for now).
But how is one supposed to fake addresses then?
By bind()'ing to the remote address, like the way it was done in the Linux 2.2 days. Igmar ------------------------------ Message: 3 Date: Sat, 26 May 2007 22:45:19 +0200 (MEST) From: Jan Engelhardt <jengelh@linux01.gwdg.de> Subject: Re: [tproxy] The future of tproxy To: Igmar Palsenberg <maillist@jdimedia.nl> Cc: Balazs Scheidler <bazsi@balabit.hu>, Nicholas George <nick.george@gmail.com>, tproxy@lists.balabit.hu Message-ID: <Pine.LNX.4.61.0705262244270.7344@yvahk01.tjqt.qr> Content-Type: TEXT/PLAIN; charset=US-ASCII On May 26 2007 22:32, Igmar Palsenberg wrote:
We definitely want to move away from NAT, and we don't plan to migrate towards network channels. (at least for now).
But how is one supposed to fake addresses then?
By bind()'ing to the remote address, like the way it was done in the Linux 2.2 days.
Yeah but you'd still need a local table that lists tproxied sockets, so that for an arbitrary incoming packet it can be decided whether it is to go through the INPUT or FORWARD chain (and subsequently, destination program/host). Jan -- ------------------------------ Message: 4 Date: Sun, 27 May 2007 00:19:43 +0200 From: Balazs Scheidler <bazsi@balabit.hu> Subject: Re: [tproxy] The future of tproxy To: Jan Engelhardt <jengelh@linux01.gwdg.de> Cc: Igmar Palsenberg <maillist@jdimedia.nl>, Nicholas George <nick.george@gmail.com>, tproxy@lists.balabit.hu Message-ID: <1180217983.19697.33.camel@bzorp.balabit> Content-Type: text/plain On Sat, 2007-05-26 at 22:45 +0200, Jan Engelhardt wrote:
On May 26 2007 22:32, Igmar Palsenberg wrote:
We definitely want to move away from NAT, and we don't plan to migrate towards network channels. (at least for now).
But how is one supposed to fake addresses then?
By bind()'ing to the remote address, like the way it was done in the Linux 2.2 days.
Yeah but you'd still need a local table that lists tproxied sockets, so that for an arbitrary incoming packet it can be decided whether it is to go through the INPUT or FORWARD chain (and subsequently, destination program/host).
The local table is the "socket hash". We do a socket lookup early in the input path and divert the packet to the local IP stack by changing its dst_entry. -- Bazsi ------------------------------ _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy End of tproxy Digest, Vol 23, Issue 5 *************************************
On Mon, 2007-05-28 at 11:54 +0530, Rajesh Yadav wrote:
Hello,
I had been struggling for almost a month trying to make tproxy + Squid + Wccp work for me but all my effort gives me only "2007/05/28 11:50:30| tproxy ip=xxx.xxx.xxx.xxx,0x2e11c87a,port=0 ERROR ASSIGN". And I can only see my squid ip with www.dnsstuff.com & www.tracert.com.
Please can anyone help me with the correct method & steps to make it work for me ?
I don't really know the squid part, but are you sure tproxy itself is working properly? Does the tproxy table exist? Can you add TPROXY rules there? Do they get redirected? -- Bazsi
Hello, i am in the same situation. i´ve continued using only transparent, cause of port error assignment. im using only one nic. but i know of some partners who get it to work using two nics and forcing tcp_outgoing_address con squid.conf hope it helps --- Balazs Scheidler <bazsi@balabit.hu> wrote:
On Mon, 2007-05-28 at 11:54 +0530, Rajesh Yadav wrote:
Hello,
I had been struggling for almost a month trying to make tproxy + Squid + Wccp work for me but all my effort gives me only "2007/05/28 11:50:30| tproxy ip=xxx.xxx.xxx.xxx,0x2e11c87a,port=0 ERROR ASSIGN". And I can only see my squid ip with www.dnsstuff.com & www.tracert.com.
Please can anyone help me with the correct method & steps to make it work for me ?
I don't really know the squid part, but are you sure tproxy itself is working properly?
Does the tproxy table exist? Can you add TPROXY rules there? Do they get redirected?
-- Bazsi
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
____________________________________________________________________________________Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
Hello,
I had been struggling for almost a month trying to make tproxy + Squid + Wccp work for me but all my effort gives me only "2007/05/28 11:50:30| tproxy ip=xxx.xxx.xxx.xxx,0x2e11c87a,port=0 ERROR ASSIGN". And I can only see my squid ip with www.dnsstuff.com & www.tracert.com.
Please can anyone help me with the correct method & steps to make it work for me ?
Most probably, you might not have set the outgoing IPaddress directive in the squid.conf or the proxy is not on the bidirectional path of the web traffic. -logu
participants (4)
-
Balazs Scheidler
-
Logu
-
Nicolas Royo
-
Rajesh Yadav