tproxy and tcp_outgoing_address
We are working to setup a Squid proxy server using the tproxy kernel and iptables patches. We've worked to get it configured for several days now and are having some problems. I spent a lot of time with Google and the mailing list archives but can't get my problem fixed. The proxy server has been working but I can't get it to rewrite the packets to show the client IP as the requesting IP for html requests. Trying to fix this, I specify the interface of the squid server for tcp_outgoing_address in the squid.conf file, but then client's can no longer access webpages. Their browser keeps waiting until they get a timeout error from the proxy server. Squid's access.log file shows a 504 error. I'm sure I'm missing something obvious, but I can't figure out what it is. BTW, I'm under the impression that ip_gre in recent kernels can do the equivalent of ip_wccp modules in older kernels. We are wanting to do the eqivalent of the ip_wccp as our router cannot do the GRE tunnel. I'm basing this understanding off of the following page: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-5887c3744368f290... Specifics: OS: Debian 4.0 Kernel: 2.6.19.7 (patched with tproxy patch) iptables-1.3.7 (patched with trproxy patch) Relevant Modules loaded: iptable_filter ipt_TPROXY xt_tcpudp iptable_tproxy iptable_nat ip_nat ip_conntrack ip_tables (Note: ip_gre is built staticly into the kernel) Iptables rule added: iptables -t tproxy -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 (Note: eth1 is the inteface of the proxy server that clients hit. I've also tried eth0 in this iptables rule, as well as leaving out the -i flag entirely.) Relevant Parts of squid.conf: http_port 80 transparent tproxy wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 tcp_outgoing_address <IP address of eth1> server_persistent_connections off If anybody can help me figure out what I'm missing, I would be most thankful. Sincerely, Bryan Walton
On 4/17/07, Bryan K. Walton <bryankwalton@machlink.com> wrote:
We are working to setup a Squid proxy server using the tproxy kernel and iptables patches. We've worked to get it configured for several days now and are having some problems. I spent a lot of time with Google and the mailing list archives but can't get my problem fixed. The proxy server has been working but I can't get it to rewrite the packets to show the client IP as the requesting IP for html requests. Trying to fix this, I specify the interface of the squid server for tcp_outgoing_address in the squid.conf file, but then client's can no longer access webpages. Their browser keeps waiting until they get a timeout error from the proxy server. Squid's access.log file shows a 504 error. I'm sure I'm missing something obvious, but I can't figure out what it is. BTW, I'm under the impression that ip_gre in recent kernels can do the equivalent of ip_wccp modules in older kernels. We are wanting to do the eqivalent of the ip_wccp as our router cannot do the GRE tunnel. I'm basing this understanding off of the following page:
I suggest you try out the sample programs provided with the tproxy modules. That will alteast verify the kernel part. I am not sure of the squid configs. The other thing you want to check is whether the webserver (setup your own for testing if you can) is able to get to the clients thru the proxy only and not thru some other direct mean. Hope this helps. -- Pranav
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-5887c3744368f290...
Specifics: OS: Debian 4.0 Kernel: 2.6.19.7 (patched with tproxy patch) iptables-1.3.7 (patched with trproxy patch)
Relevant Modules loaded: iptable_filter ipt_TPROXY xt_tcpudp iptable_tproxy iptable_nat ip_nat ip_conntrack ip_tables (Note: ip_gre is built staticly into the kernel)
Iptables rule added: iptables -t tproxy -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80
(Note: eth1 is the inteface of the proxy server that clients hit. I've also tried eth0 in this iptables rule, as well as leaving out the -i flag entirely.)
Relevant Parts of squid.conf: http_port 80 transparent tproxy wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 tcp_outgoing_address <IP address of eth1> server_persistent_connections off
If anybody can help me figure out what I'm missing, I would be most thankful. Sincerely, Bryan Walton _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
-- ------------------------------ http://pd.dnsalias.org
On Tue, Apr 17, 2007 at 12:51:06PM -0700, Pranav Desai wrote:
I suggest you try out the sample programs provided with the tproxy modules. That will alteast verify the kernel part.
Thanks. I'll look into those. -Bryan
participants (2)
-
Bryan K. Walton
-
Pranav Desai