[tproxy] TPROXY but without bridging?

Ming-Ching Tiew mingching.tiew at redtone.com
Sat Mar 29 14:30:15 CET 2008

admin at abp.pl wrote:
> Hello,
> I'm using Squid Cache: Version 2.6.STABLE18
> Is there posibility to use it as fully transprent proxy (with tproxy) but
> without bridging interfaces?
> My topology:
> [router 0]---[Internet]
>     |
>     |
> [===switch=======================]
>     |           |           |
> [squid] [ router a ][ router b ] .....
> to routers a,b... are connected clients. On that routers I have DNAT
> --to-destiation squid:80
> On squid machine i have 2.6.25-rc7 kernel and Squid with patches from
> http://people.balabit.hu/panther/tproxy/.
> And:
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
>                   --tproxy-mark 0x1/0x1 -on-port 3128
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> ip rule add fwmark 1 lookup 100
> ip route add local dev lo table 100
> squid.conf:
> ..
> http_port 3128 transparent tproxy
> tcp_outgoing_address [machine ip]
> ..
> When I test this configuration webservers logs connection from clients
> from routers a,b... with ip of squid machine. So tproxy doesnt' work.
> Can I fix it?
> PS. It's urgent for me, please help;)
> Regards,
> Tomasz
Well among all things you have at least gotten to patch
the  2.6.25-rc7 kernel.  Good ! That's a big  step better than
just ***STARE*** at the patch and refuse to use use it and
then start asking all sorts of question about where is the
correct patch !


There are two main problems which you will have to deal with :-

1. It appears to me that you haven't patched squid.
    You need to patch squid to use it with tproxy-4.1.0.
    And that has been mentioned so many times in
    this maillist.

    My guess it that you were able to surf the net from
    the clients despite failing to spoof the clients IP because
    you had not patched squid ( sounds ironical isn't it ? )

    If you had patched squid correctly, you can't even
    browse from the clients, as squid would have spoofed
    the IP of the clients, and in your setup, the http return
    packets from router0 will not get a chance to return
    back to squid, and that will result you getting a hanged
    http request.

    That leads to second point I want to make.

2. I am not saying doing tproxy without bridging is
    impossible but you have not demonstrated that you
    have attempted to solve the return path problem
    mentioned above.

Until you have become an advance user, may I know
what is stopping you to make the squid box a bridge ?


More information about the tproxy mailing list