Jamie Orzechowski wrote:
I went from a standard transparent setup to tproxy. Everything works
fine with the old transparent method so my ACL's are working. My
customers are seeing nothing. No squid errors on their browsers just
timesout ... my access log does not not grow.
Amos Jeffries wrote:
Jamie Orzechowski wrote:
I am trying to get TProxy setup and running on a Linux based squid box.
I have compiled a custom kernel with the following options (2.6.28.7)
NETFILTER_TPROXY=y
NETFILTER_XT_MATCH_SOCKET=y
NETFILTER_XT_TARGET_TPROXY=y
I have also installed the latest iptables
root@cache-01:/var/log/squid3# iptables -V
iptables v1.4.3-rc1
And compiled squid 3.1.0.6
Squid Cache: Version 3.1.0.6
configure options: '--prefix=/usr' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=/lib/squid3'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
'--enable-inline' '--enable-async-io=32'
'--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--with-filedescriptors=65536' '--with-default-user=proxy'
'--enable-linux-netfilter' --with-squid=/tmp/squid-3.1.0.6
--enable-ltdl-convenience
My NAT Rules are as follows
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t mangle -N DIVERT
/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
/sbin/iptables -t mangle -A DIVERT -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
My Squid config shows
http_port 3128
http_port 3129 tproxy
If I run a dmesg I see it loads the tproxy support
[ 15.339298] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 15.458549] NF_TPROXY: Transparent proxy support initialized,
version 4.1.0
[ 15.458552] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
[ 15.510067] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
A tcpdump shows http traffic hitting the box but nobody it able to surf.
Any ideas what could be wrong??
Not from what you have said so far. It all looks correct according to
current knowledge.
Have you remembered to set the Squid ACLs to permit the local network
ranges propery?
Is there any trace in the squid logs? and what exactly are the users
seeing?
Amos
Further stuff to check:
- when traffic hits the box. are the iptables counters growing?
- when TPROXY chain grows, does it hit squid?
- when traffic hits squid, whats squid doing (raise debug_options
ALL,5 6,1 20,1 to see)
- if its getting through squid, is it leaving? (tcpdump trace)
- when traffic leaves, and what if anything is getting back?
some of this is very low-level to trace. Some of it is data-wading.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.6
