KOVACS Krisztian pisze:
> Hi,
>
> Do you have other http_ports defined? Does it change anything if you use
>
> http_port 3128 tproxy
>
> that is, you omit the IP from the listener config?
>
> If not, can you get detailed debug logs from squid?
>
>
Well, i should first think, then click 'send'.
(i should thind twice, resending to the mailing list)
First:
I missed 'Missing needed capability /support/. Will /continue without
tproxy support/"
in my cache log. Afret installing libcap and putting capabilities.h into
right place it worked ;)
( kernel: 2.6.28-rc7, iptables: 1.4.3-rc1, gentoo version of
squid-2.7-stable4 with patch from
https://lists.balabit.hu/pipermail/tproxy/2008-September/000944.html )
Second:
My network topology was:
|---------| |---------| |-------|
| LAN |--| router |--| WAN |
|---------| |---------| |-------|
|
|---------|
| tproxy |
|---------|
i think, that conntrack on router was making something uncool with http
downstream,
SYN packets were arriving to tproxy box, but i wasn't able to redirect
downstream
to tproxy box.
after upgrading to:
|---------| |---------| |---------| |-------|
| LAN |--| tproxy |----------| router |--| WAN |
|---------| |---------| |---------| |-------|
it started to work, but i had some problems with tproxy in bridge mode,
after laoding:
INSIDE_DEV=eth0
OUTSIDE_DEV=eth1
ebtables -t broute -A BROUTING -i $INSIDE_DEV -p ipv4 \
--ip-protocol tcp --ip-destination-port 80 \
-j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $OUTSIDE_DEV -p ipv4 \
--ip-protocol tcp --ip-source-port 80 \
-j redirect --redirect-target DROP
my bridge started to drop ipv4 traffic with src other than 10.0.0.0/8
(br0 has address 10.1.1.46/8, and gw: 10.1.1.201 ) - PPPoE and ARP
packets were passing
without problems, but other routed ips were dropped.