[tproxy] tproxy and tcp_outgoing_address

Bryan K. Walton bryankwalton at machlink.com
Tue Apr 17 18:37:24 CEST 2007


We are working to setup a Squid proxy server using the tproxy kernel
and iptables patches.  We've worked to get it configured for several
days now and are having some problems.  I spent a lot of time with
Google and the mailing list archives but can't get my problem fixed.
The proxy server has been working but I can't get it to rewrite the
packets to show the client IP as the requesting IP for html requests.
Trying to fix this, I specify the interface of the squid server for
tcp_outgoing_address in the squid.conf file, but then client's can 
no longer access webpages.  Their browser keeps waiting until they get
a timeout error from the proxy server.  Squid's access.log file shows
a 504 error.  I'm sure I'm missing something obvious, but I can't
figure out what it is.  BTW, I'm under the impression that ip_gre in
recent kernels can do the equivalent of ip_wccp modules in older
kernels.  We are wanting to do the eqivalent of the ip_wccp as our
router cannot do the GRE tunnel.  I'm basing this understanding off of
the following page:

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-5887c3744368f290e63fda47fd1e4715c9bdbc9b

Specifics:
OS: Debian 4.0
Kernel: 2.6.19.7 (patched with tproxy patch)
iptables-1.3.7 (patched with trproxy patch)

Relevant Modules loaded:
iptable_filter
ipt_TPROXY
xt_tcpudp
iptable_tproxy
iptable_nat
ip_nat
ip_conntrack
ip_tables
(Note: ip_gre is built staticly into the kernel)

Iptables rule added:
iptables -t tproxy -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 80

(Note: eth1 is the inteface of the proxy server that clients hit. 
I've also tried eth0 in this iptables rule, as well as leaving out the
-i flag entirely.)

Relevant Parts of squid.conf:
http_port 80 transparent tproxy
wccp2_service dynamic 80
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80
tcp_outgoing_address <IP address of eth1>
server_persistent_connections off 

If anybody can help me figure out what I'm missing, I would be most thankful.
Sincerely,
Bryan Walton


More information about the tproxy mailing list