[tproxy] port=0 ERROR ASSIGN

Ming-Ching Tiew mingching.tiew at redtone.com
Tue Sep 23 03:18:16 CEST 2008

KOVACS Krisztian wrote:
> Hi,
> On v, szept 21, 2008 at 05:32:34 -0700, Richard Smith wrote:
>> Sorry i'm late, but recently set up a squid on a
>> debian box patched with tproxy and compiled iptables like you did and
>> everything seems woking except this error message on the cache log
>> about the "port=0 ERROR ASSIGN". 
>> tproxy ip=,0x3017477,port=0 ERROR ASSIGN
>> can't connect to the outside if the tproxy iptables rules loaded.
>> Googled for some answer but no succes.
>> If this issue is solved any kind of help would be much appreciated,
> Well, could you tell us exactly which version of squid and iptables
> you 
> used and what patches you applied? Without that it's pretty much
> impossible to help.

As far as I know, if one is using tproxy2, and if this error
comes out, it is due to the user did not setup tcp_outgoing_address
in 'squid.conf'.

In tproxy2, due the way the software has been written, it is
ironic that when when one is using tproxy ( ie when you want 
to dynamically spoof the outgoing address of the http session 
to the client's IP address),  it is a ***MUST*** to setup a 
tcp_outgoing_address in 'squid.conf' by using one of the local 
IP addresses on the interface within the squid machine.

If the squid machine has multiple IPs, you just set it to one
of the IPs - it does not really matter, as it will be overwritten
by tproxy anyway !!! But if you are using source routing, you 
might have to little more careful in choosing the IP, as it will
affect which route it will take.

I have seen people trying to set this up by setting a 
foreign IP address to it, or putting fancy ACL to avoid 
having the tcp_outgoing_address set up ( because he 
really wanted "tproxy" behaviour !!!) , and squid will 
give the above complaint.

This whole thing is counter intuitive. But that's how it works.


More information about the tproxy mailing list