[tproxy] tproxy and tcp_outgoing_address
Bryan K. Walton
bryankwalton at machlink.com
Tue Apr 17 18:37:24 CEST 2007
We are working to setup a Squid proxy server using the tproxy kernel
and iptables patches. We've worked to get it configured for several
days now and are having some problems. I spent a lot of time with
Google and the mailing list archives but can't get my problem fixed.
The proxy server has been working but I can't get it to rewrite the
packets to show the client IP as the requesting IP for html requests.
Trying to fix this, I specify the interface of the squid server for
tcp_outgoing_address in the squid.conf file, but then client's can
no longer access webpages. Their browser keeps waiting until they get
a timeout error from the proxy server. Squid's access.log file shows
a 504 error. I'm sure I'm missing something obvious, but I can't
figure out what it is. BTW, I'm under the impression that ip_gre in
recent kernels can do the equivalent of ip_wccp modules in older
kernels. We are wanting to do the eqivalent of the ip_wccp as our
router cannot do the GRE tunnel. I'm basing this understanding off of
the following page:
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-5887c3744368f290e63fda47fd1e4715c9bdbc9b
Specifics:
OS: Debian 4.0
Kernel: 2.6.19.7 (patched with tproxy patch)
iptables-1.3.7 (patched with trproxy patch)
Relevant Modules loaded:
iptable_filter
ipt_TPROXY
xt_tcpudp
iptable_tproxy
iptable_nat
ip_nat
ip_conntrack
ip_tables
(Note: ip_gre is built staticly into the kernel)
Iptables rule added:
iptables -t tproxy -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 80
(Note: eth1 is the inteface of the proxy server that clients hit.
I've also tried eth0 in this iptables rule, as well as leaving out the
-i flag entirely.)
Relevant Parts of squid.conf:
http_port 80 transparent tproxy
wccp2_service dynamic 80
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80
tcp_outgoing_address <IP address of eth1>
server_persistent_connections off
If anybody can help me figure out what I'm missing, I would be most thankful.
Sincerely,
Bryan Walton
More information about the tproxy
mailing list