The problem is the http header. check the traffic and saw that x_forwarded header has the following format: x_forwarded: client-ip, ip-proxy1, ip-proxy2. In my header, the client ip is there, but there is also the ip of the squid. the question is: How do I only see the ip of the client and remove the ip of the squid form header? 2009/8/10 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On Mon, 10 Aug 2009 20:30:05 -0300, Carlos Botejara <cbotejara@xxxxxxxxx> > wrote: >> OK. >> >> Ok. I did what you told me, modify the rule, but nothing happened .. >> everything remains the same >> Rule amended >> iptables-t mangle-A PREROUTING-p tcp - dport 80-j TPROXY - tproxy-mark >> 0x1/0x1 - on-port 3129 > > Hm, okay. Then you need to find out exactly how the clients are connecting > to that site and why its not working. > > Amos > >> >> 2009/8/9 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>> On Sun, 9 Aug 2009 10:58:23 -0300, Carlos Botejara <cbotejara@xxxxxxxxx> >>> wrote: >>>> hi, this is my first post here. >>>> I have a problem, but first I describe the scenario >>>> I have clients with public IP >>>> Mikrotik router redirecting traffic to SQUID >>>> Squid 3.1 with support for TPROXY >>>> Iptables 1.4.4 with support for TPROXY >>>> Debian Lenny / Kernel 2.6.28 with support for TPROXY >>>> >>>> well. >>>> The proxy works as well, and when I made some test pages whatismyip, >>>> shows that the ip is the CLIENT. >>>> However. I can not get my clients with public IP address >>>> simultaneously downloading from RapidShare / Megaupload ETC. The error >>>> shown within these pages is the typical already are downloading from >>>> that ip, so if viewing RapidShare IP SQUID in reality and not the >>>> client. How fix this? >>>> >>>> the configuration file of squid in the harbor is well >>>> >>>> http_port 81 tproxy >>>> >>>> Iptables: >>>> >>>> iptables -t mangle -N DIVERT >>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>>> iptables -t mangle -A DIVERT -j ACCEPT >>>> iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j TPROXY >>>> --tproxy-mark 0x1/0x1 --on-port 81 >>> >>> You have this rule ass-backwards. >>> >>> TPROXY is intended to intercept port 80 traffic, not port 3128 traffic. >>> When the client is NOT configured to use the proxy. The HTTP request >>> formats are noticeably different. It's trivially easy to detect those >>> differences and probably what rapidshare is doing. >>> >>> Please go back and use the http://wiki.squid-cache.org/Features/Tproxy4 >>> documentation and configuration example. >>> >>>> >>>> ip rule add fwmark 1 lookup 100 >>>> ip route add local 0.0.0.0/0 dev lo table 100 >>>> >>>> echo 1 > /proc/sys/net/ipv4/ip_forward >>>> >>>> >>>> Mikrotik: >>>> Have a rule in the firewall to redirect all traffic to port 80 of the >>>> SQUID to the IP, port 3128 >>>> >>>> All clients create sessions PPPOE in Router Mikrotik >>>> >>>> May help? >>>> >>>> Regards >>> >>> Amos >>> > -- Carlos Botejara Area Sistemas cbotejara@xxxxxxxxx NEUQUEN - ARGENTINA C: 0299-154060127 MSN:carlos.botejara@xxxxxxxxxxx http://www.linkedin.com/in/carlosbotejara Este correo está dirigido únicamente a la persona o entidad que figura en el destinatario y puede contener información confidencial y/o privilegiada. La copia, reenvío, o distribución de este mensaje por personas o entidades diferentes al destinatario está prohibido. Si Ud. ha recibido este correo por error, por favor contáctese con el remitente inmediatamente y borre el material de cualquier computadora. Este correo puede estar siendo monitoreado en cumplimiento de esta política.
