[tproxy] Can't get TPROXY working with squid

Carvaka Guru carvakaguru at gmail.com
Wed Feb 25 20:40:13 CET 2015 

Yes, I did and tried the recommendations there too but that is a much more
complicated setup.

Mine is a simple setup where I have a client PC (192.168.25.107) connected
directly to my linux firewall router on eth1 (192.168.25.1). The eth0
(10.1.20.204) of the router is connected to the internet.

Router has -
1. squid3 3.4.8
2. iptables 1.4.14
3. libcap2
4. libcap2-dev

Squid config has the directive -
http_port 3128 tproxy

iptables is setup with the following directives -

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t nat -A POSTROUTING -o eth0 MASQUERADE

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
iptables  -t mangle -A PREROUTING -p tcp --match socket -j DIVERT

iptables -t mangle -A PREROUTING -p tcp --match multiport --dport
http,http-alt -j TPROXY --on-port 3128 --tproxy-mark 111

routing config is -
ip -f inet rule add fwmark 111 lookup 100
ip -f inet route add local default dev lo table 100

The moment I add the second line (ip route), all HTTP traffic gets
black-holed. Not sure where it is going.

I have enabled logging in Squid "ALL,2" which usually shows detailed
traffic traversing through squid but with this setup, nothing!




On Wed, Feb 25, 2015 at 1:03 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
wrote:

> Hey Carvaka,
>
> Did you had the chance to read this article:
> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
>
> Thanks,
> Eliezer
>
> On 25/02/2015 19:15, Carvaka Guru wrote:
> > I am building a simple linux firewall router with eth1 LAN port and eth0
> > WAN port. I have squid3 running on it that I have built with netfilter
> > enabled. The linux version running on the firewall is debian wheezy which
> > has iptables with TPROXY and socket support.
> >
> > By setting up the iptables to send traffic to squid3 using the original
> nat
> > prerouting REDIRECT method everything works fine but I can't get the
> TPROXY
> > method to work. I followed all the steps outlined in
> > http://wiki.squid-cache.org/Features/Tproxy4  but no traffic gets to
> squid3.
> > In fact all HTTP traffic goes into some hole as soon as I issue the
> > followng two routing commands -
> >
> > ip rule add fwmark 1 lookup 100
> > ip route add local 0.0.0.0/0 dev lo table 100
> >
> > Without these two commands the HTTP traffic goes through but never gets
> > routed to squid3.
> >
> > I think the "ip route" command is the culprit but I don't know why or
> what
> > to change it to?
> >
> > Any suggestions, help would be much appreciated.
> >
> > Thanks,
> > carvaka
> >
>
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20150225/4d08647e/attachment.htm

More information about the tproxy mailing list