Hello Carlos, Could you help me to configure Squid+TPROXY ? Thursday, August 13, 2009, 5:59:27 AM, you wrote: > problem solved. > in squid.conf > x_forwarded deny localhost ;) > regards > 2009/8/12 Carlos Botejara <cbotejara@xxxxxxxxx>: >> The problem is the http header. >> check the traffic and saw that x_forwarded header has the following format: >> x_forwarded: client-ip, ip-proxy1, ip-proxy2. >> In my header, the client ip is there, but there is also the ip of the squid. >> the question is: How do I only see the ip of the client and remove the >> ip of the squid form header? >> >> 2009/8/10 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>> On Mon, 10 Aug 2009 20:30:05 -0300, Carlos Botejara <cbotejara@xxxxxxxxx> >>> wrote: >>>> OK. >>>> >>>> Ok. I did what you told me, modify the rule, but nothing happened .. >>>> everything remains the same >>>> Rule amended >>>> iptables-t mangle-A PREROUTING-p tcp - dport 80-j TPROXY - tproxy-mark >>>> 0x1/0x1 - on-port 3129 >>> >>> Hm, okay. Then you need to find out exactly how the clients are connecting >>> to that site and why its not working. >>> >>> Amos >>> >>>> >>>> 2009/8/9 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>>>> On Sun, 9 Aug 2009 10:58:23 -0300, Carlos Botejara <cbotejara@xxxxxxxxx> >>>>> wrote: >>>>>> hi, this is my first post here. >>>>>> I have a problem, but first I describe the scenario >>>>>> I have clients with public IP >>>>>> Mikrotik router redirecting traffic to SQUID >>>>>> Squid 3.1 with support for TPROXY >>>>>> Iptables 1.4.4 with support for TPROXY >>>>>> Debian Lenny / Kernel 2.6.28 with support for TPROXY >>>>>> >>>>>> well. >>>>>> The proxy works as well, and when I made some test pages whatismyip, >>>>>> shows that the ip is the CLIENT. >>>>>> However. I can not get my clients with public IP address >>>>>> simultaneously downloading from RapidShare / Megaupload ETC. The error >>>>>> shown within these pages is the typical already are downloading from >>>>>> that ip, so if viewing RapidShare IP SQUID in reality and not the >>>>>> client. How fix this? >>>>>> >>>>>> the configuration file of squid in the harbor is well >>>>>> >>>>>> http_port 81 tproxy >>>>>> >>>>>> Iptables: >>>>>> >>>>>> iptables -t mangle -N DIVERT >>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>>>>> iptables -t mangle -A DIVERT -j ACCEPT >>>>>> iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j TPROXY >>>>>> --tproxy-mark 0x1/0x1 --on-port 81 >>>>> >>>>> You have this rule ass-backwards. >>>>> >>>>> TPROXY is intended to intercept port 80 traffic, not port 3128 traffic. >>>>> When the client is NOT configured to use the proxy. The HTTP request >>>>> formats are noticeably different. It's trivially easy to detect those >>>>> differences and probably what rapidshare is doing. >>>>> >>>>> Please go back and use the http://wiki.squid-cache.org/Features/Tproxy4 >>>>> documentation and configuration example. >>>>> >>>>>> >>>>>> ip rule add fwmark 1 lookup 100 >>>>>> ip route add local 0.0.0.0/0 dev lo table 100 >>>>>> >>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward >>>>>> >>>>>> >>>>>> Mikrotik: >>>>>> Have a rule in the firewall to redirect all traffic to port 80 of the >>>>>> SQUID to the IP, port 3128 >>>>>> >>>>>> All clients create sessions PPPOE in Router Mikrotik >>>>>> >>>>>> May help? >>>>>> >>>>>> Regards >>>>> >>>>> Amos >>>>> >>> >> >> >> >> -- >> Carlos Botejara >> Area Sistemas >> cbotejara@xxxxxxxxx >> NEUQUEN - ARGENTINA >> C: 0299-154060127 >> MSN:carlos.botejara@xxxxxxxxxxx >> http://www.linkedin.com/in/carlosbotejara >> >> Este correo está dirigido únicamente a la persona o entidad que figura >> en el destinatario y puede contener información confidencial y/o >> privilegiada. >> La copia, reenvío, o distribución de este mensaje por personas o >> entidades diferentes al destinatario está prohibido. >> Si Ud. ha recibido este correo por error, por favor contáctese con el >> remitente inmediatamente y borre el material de cualquier computadora. >> Este correo puede estar siendo monitoreado en cumplimiento de esta política. >> -- Best regards, Farhad mailto:inara.ibragimova@xxxxxxxxx
