[tproxy] Squid doesn't seem to spoof client ip address.

Przemysław Kudyba przemekk at ingram.com.pl
Thu Dec 4 21:10:25 CET 2008

KOVACS Krisztian pisze:
> Hi,
> Do you have other http_ports defined? Does it change anything if you use
> http_port 3128 tproxy
> that is, you omit the IP from the listener config?
> If not, can you get detailed debug logs from squid?
Well, i should first think, then click 'send'.
(i should thind twice, resending to the mailing list)

I missed 'Missing needed capability /support/. Will /continue without
tproxy support/"
in my cache log. Afret installing libcap and putting capabilities.h into
right place it worked ;)

( kernel: 2.6.28-rc7, iptables: 1.4.3-rc1, gentoo version of
squid-2.7-stable4 with patch from
https://lists.balabit.hu/pipermail/tproxy/2008-September/000944.html )

My network topology was:

|---------|  |---------|  |-------|
|   LAN   |--| router  |--|  WAN  |
|---------|  |---------|  |-------|
             |  tproxy |

i think, that conntrack on router was making something uncool with http
SYN packets were arriving to tproxy box, but i wasn't able to redirect
to tproxy box.

after upgrading to:

|---------|  |---------|          |---------|  |-------|
|   LAN   |--|  tproxy |----------| router  |--|  WAN  |
|---------|  |---------|          |---------|  |-------|

it started to work, but i had some problems with tproxy in bridge mode,

after laoding:


      ebtables -t broute -A BROUTING -i $INSIDE_DEV -p ipv4 \
              --ip-protocol tcp --ip-destination-port 80 \
               -j redirect --redirect-target DROP
      ebtables -t broute -A BROUTING -i $OUTSIDE_DEV -p ipv4 \
        --ip-protocol tcp --ip-source-port 80 \
         -j redirect --redirect-target DROP

my bridge started to drop ipv4 traffic with src other than
(br0 has address, and gw: ) - PPPoE and ARP
packets were passing
without problems, but other routed ips were dropped.

More information about the tproxy mailing list