[tproxy] tproxy and tcp_outgoing_address

Pranav Desai pranavadesai at gmail.com
Tue Apr 17 21:51:06 CEST 2007

On 4/17/07, Bryan K. Walton <bryankwalton at machlink.com> wrote:
> We are working to setup a Squid proxy server using the tproxy kernel
> and iptables patches.  We've worked to get it configured for several
> days now and are having some problems.  I spent a lot of time with
> Google and the mailing list archives but can't get my problem fixed.
> The proxy server has been working but I can't get it to rewrite the
> packets to show the client IP as the requesting IP for html requests.
> Trying to fix this, I specify the interface of the squid server for
> tcp_outgoing_address in the squid.conf file, but then client's can
> no longer access webpages.  Their browser keeps waiting until they get
> a timeout error from the proxy server.  Squid's access.log file shows
> a 504 error.  I'm sure I'm missing something obvious, but I can't
> figure out what it is.  BTW, I'm under the impression that ip_gre in
> recent kernels can do the equivalent of ip_wccp modules in older
> kernels.  We are wanting to do the eqivalent of the ip_wccp as our
> router cannot do the GRE tunnel.  I'm basing this understanding off of
> the following page:

I suggest you try out the sample programs provided with the tproxy
modules. That will alteast verify the kernel part.

I am not sure of the squid configs.

The other thing you want to check is whether the webserver (setup your
own for testing if you can) is able to get to the clients thru the
proxy only and not thru some other direct mean.

Hope this helps.

-- Pranav

> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-5887c3744368f290e63fda47fd1e4715c9bdbc9b
> Specifics:
> OS: Debian 4.0
> Kernel: (patched with tproxy patch)
> iptables-1.3.7 (patched with trproxy patch)
> Relevant Modules loaded:
> iptable_filter
> ipt_TPROXY
> xt_tcpudp
> iptable_tproxy
> iptable_nat
> ip_nat
> ip_conntrack
> ip_tables
> (Note: ip_gre is built staticly into the kernel)
> Iptables rule added:
> iptables -t tproxy -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
> TPROXY --on-port 80
> (Note: eth1 is the inteface of the proxy server that clients hit.
> I've also tried eth0 in this iptables rule, as well as leaving out the
> -i flag entirely.)
> Relevant Parts of squid.conf:
> http_port 80 transparent tproxy
> wccp2_service dynamic 80
> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
> wccp2_service dynamic 90
> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
> priority=240 ports=80
> tcp_outgoing_address <IP address of eth1>
> server_persistent_connections off
> If anybody can help me figure out what I'm missing, I would be most thankful.
> Sincerely,
> Bryan Walton
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy



More information about the tproxy mailing list