configure with --enable-linux-tproxy Farhad Ibragimov wrote: > > Hello , > > > I am having some trouble redirecting port 80 traffic to 3129 using > tproxy for transparent proxying. > The SYNs come in but there is no SYN-ACK going out. > > Please help me !!!!! > > My server have only one single interface with global ip addresses wich > connect directly to the internet > > > > Detailed information from my server > > ####################################################################### > ############### > Squid Cache: Version 3.1.0.13 > configure options: '--enable-linux-netfilter' '--prefix=/squid/' > --with-squid=/src/squid-3.1.0.13 --enable-ltdl-convenience > [root@proxymain sysconfig]# cat /squid/etc/squid.conf > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > acl test src 85.132.47.0/24 > acl test2 src 85.132.32.0/24 > acl test3 src 62.212.227.0/24 > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 3129 > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > http_access allow localhost > http_access allow test > http_access allow test2 > http_access allow test3 > http_access deny all > http_port 3128 > http_port 3129 tproxy > hierarchy_stoplist cgi-bin ? > coredump_dir /squid/var/cache > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > cache_effective_user squid > cache_effective_group squid > visible_hostname proxymain > cache_dir ufs /cache 6000 16 256 > ###################################################################### > [root@proxymain sysconfig]# iptables -V (DOWNLOADED FROM > NETFILTER.ORG-NOT PATCHED) > iptables v1.4.3 > ####################################################################### > root@proxymain sysconfig]# uname -a (DONLOADED FORM KERNEL.ORG - > WITHOWT ANY PATCHES FROM bALABIT) > Linux 2.6.30.5-second #1 SMP Sun Aug 30 22:45:27 AZST 2009 x86_64 x86_64 > x86_64 GNU/Linux > ####################################################################### > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > DIVERT tcp -- anywhere anywhere socket > TPROXY tcp -- anywhere anywhere tcp dpt:80 > TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > Chain DIVERT (1 references) > target prot opt source destination > MARK all -- anywhere anywhere MARK xset > 0x1/0xffffffff > ACCEPT all -- anywhere anywhere > ####################################################################### > > [root@proxymain sysconfig]# ip rule ls > 0: from all lookup 255 > 32765: from all fwmark 0x1 lookup 100 > 32766: from all lookup main > 32767: from all lookup default > ##################################################################### > [root@proxymain sysconfig]# ip route ls table 100 > local default dev lo scope host > ##################################################################### > > [root@proxymain sysconfig]# lsmod | egrep "xt|nf" > nf_nat 18924 1 iptable_nat > nf_conntrack_ipv4 14448 3 iptable_nat,nf_nat > xt_TPROXY 2616 1 > xt_tcpudp 3544 1 > xt_MARK 3064 1 > xt_socket 2904 1 > nf_tproxy_core 3160 2 xt_TPROXY,xt_socket,[permanent] > nf_conntrack 68208 4 > iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket > nf_defrag_ipv4 2456 3 nf_conntrack_ipv4,xt_TPROXY,xt_socket > x_tables 22624 6 > iptable_nat,ip_tables,xt_TPROXY,xt_tcpudp,xt_MARK,xt_socket > i2c_nforce2 7768 0 > i2c_core 25568 1 i2c_nforce2 > ext3 123528 2 > jbd 46848 1 ext3 > ###################################################################### > [root@proxymain sysconfig]# tcpdump -nn -i eth0 port 80 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 00:12:02.402611 IP 85.132.32.40.1532 > 85.132.32.34.80: S > 3187993921:3187993921(0) win 65535 <mss 1460,nop,nop,sackOK> > 00:12:02.403087 IP 85.132.32.34.80 > 85.132.32.40.1532: S > 3741385741:3741385741(0) ack 3187993922 win 5840 <mss 1460,nop,nop,sackOK> > 00:12:02.402697 IP 85.132.32.40.1532 > 85.132.32.34.80: . ack 1 win 65535 > 00:12:02.407937 IP 85.132.32.40.1532 > 85.132.32.34.80: P 1:413(412) ack 1 > win 65535 > 00:12:02.407971 IP 85.132.32.34.80 > 85.132.32.40.1532: . ack 413 win 6432 > 00:12:02.408389 IP 85.132.32.40.42747 > 194.87.0.50.80: S > 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4169685 > 0,nop,wscale 7> > 00:12:05.407861 IP 85.132.32.40.42747 > 194.87.0.50.80: S > 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4172685 > 0,nop,wscale 7> > 00:12:11.407465 IP 85.132.32.40.42747 > 194.87.0.50.80: S > 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4178685 > 0,nop,wscale 7> > 00:12:23.406682 IP 85.132.32.40.42747 > 194.87.0.50.80: S > 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4190685 > 0,nop,wscale 7> > ####################################################################### > ## > 2009/08/30 23:31:56| Starting Squid Cache version 3.1.0.13 for > x86_64-unknown-linux-gnu... > 2009/08/30 23:31:56| Process ID 12787 > 2009/08/30 23:31:56| With 1024 file descriptors available > 2009/08/30 23:31:56| Initializing IP Cache... > 2009/08/30 23:31:56| DNS Socket created at 0.0.0.0, FD 7 > 2009/08/30 23:31:56| Adding domain caspel.com from /etc/resolv.conf > 2009/08/30 23:31:56| Adding nameserver 85.132.32.41 from /etc/resolv.conf > 2009/08/30 23:31:56| Adding nameserver 85.132.32.42 from /etc/resolv.conf > 2009/08/30 23:31:56| Unlinkd pipe opened on FD 12 > 2009/08/30 23:31:56| Store logging disabled > 2009/08/30 23:31:56| Swap maxSize 6144000 + 262144 KB, estimated 492780 > objects > 2009/08/30 23:31:56| Target number of buckets: 24639 > 2009/08/30 23:31:56| Using 32768 Store buckets > 2009/08/30 23:31:56| Max Mem size: 262144 KB > 2009/08/30 23:31:56| Max Swap size: 6144000 KB > 2009/08/30 23:31:56| Version 1 of swap file without LFS support > detected... > 2009/08/30 23:31:56| Rebuilding storage in /cache (CLEAN) > 2009/08/30 23:31:56| Using Least Load store dir selection > 2009/08/30 23:31:56| Set Current Directory to /squid/var/cache > 2009/08/30 23:31:56| Loaded Icons. > 2009/08/30 23:31:56| Accepting HTTP connections at 0.0.0.0:3128, FD 15. > 2009/08/30 23:31:56| Accepting spoofing HTTP connections at 0.0.0.0:3129, > FD 16. > 2009/08/30 23:31:56| HTCP Disabled. > 2009/08/30 23:31:56| Squid modules loaded: 0 > 2009/08/30 23:31:56| Ready to serve requests. > 2009/08/30 23:31:56| Done reading /cache swaplog (0 entries) > 2009/08/30 23:31:56| Finished rebuilding storage from disk. > 2009/08/30 23:31:56| 0 Entries scanned > 2009/08/30 23:31:56| 0 Invalid entries. > 2009/08/30 23:31:56| 0 With invalid flags. > 2009/08/30 23:31:56| 0 Objects loaded. > 2009/08/30 23:31:56| 0 Objects expired. > 2009/08/30 23:31:56| 0 Objects cancelled. > 2009/08/30 23:31:56| 0 Duplicate URLs purged. > 2009/08/30 23:31:56| 0 Swapfile clashes avoided. > 2009/08/30 23:31:56| Took 0.01 seconds ( 0.00 objects/sec). > 2009/08/30 23:31:56| Beginning Validation Procedure > 2009/08/30 23:31:56| Completed Validation Procedure > 2009/08/30 23:31:56| Validated 25 Entries > 2009/08/30 23:31:56| store_swap_size = 0 > 2009/08/30 23:31:57| storeLateRelease: released 0 objects > [root@proxymain sysconfig]# > > 1251655621.226 155982 85.132.32.40 TCP_MISS/503 4143 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/www.squid-cache.org > text/html > 1251655621.226 107693 85.132.47.219 TCP_MISS/503 4151 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/www.squid-cache.org > text/html > 1251655621.230 0 85.132.32.40 TCP_MISS/503 4143 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/www.squid-cache.org > text/html > 1251655646.107 6457 85.132.47.219 TCP_MISS/000 0 GET > http://www.google.az/ - DIRECT/www.google.az - > 1251655658.226 60014 85.132.47.219 TCP_MISS/504 4510 POST > http://safebrowsing.clients.google.com/safebrowsing/downloads? - > DIRECT/safebrowsing.clients.google.com text/html > 1251656346.912 21227 85.132.32.40 TCP_MISS/000 0 GET http://194.87.0.50/ > - DIRECT/194.87.0.50 - > 1251656526.724 179798 85.132.32.40 TCP_MISS/504 3977 GET http://www.ru/ - > DIRECT/194.87.0.50 text/html > 1251656586.724 59968 85.132.32.40 TCP_MISS/504 4069 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html > 1251656867.544 88637 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - > DIRECT/www.ru - > 1251657043.812 176266 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - > DIRECT/www.ru - > 1251657101.539 60109 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - > DIRECT/194.87.0.50 text/html > 1251657207.136 64675 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - > DIRECT/www.ru - > 1251657387.522 180384 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - > DIRECT/194.87.0.50 text/html > 1251657567.525 179983 85.132.32.40 TCP_MISS/504 4069 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html > 1251657569.936 9407 85.132.47.219 TCP_MISS/000 0 GET > http://85.132.32.34/ - DIRECT/85.132.32.34 - > 1251657725.527 180669 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - > DIRECT/194.87.0.50 text/html > 1251657905.534 179988 85.132.32.40 TCP_MISS/504 4069 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html > 1251658194.669 112560 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - > DIRECT/www.ru - > 1251658283.066 88394 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - > DIRECT/www.ru - > 1251658463.543 180476 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - > DIRECT/194.87.0.50 text/html > 1251658643.547 179986 85.132.32.40 TCP_MISS/504 4069 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html > 1251659072.554 60493 85.132.32.40 TCP_MISS/504 4473 POST > http://safebrowsing.clients.google.com/safebrowsing/downloads? - > DIRECT/74.125.87.100 text/html > 1251659703.563 181155 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - > DIRECT/194.87.0.50 text/html > -- > > Best regards, > Farhad mailto:inara.ibragimova@xxxxxxxxx > > > -- View this message in context: http://www.nabble.com/TPROXY-4-tp25215268p25926936.html Sent from the Squid - Users mailing list archive at Nabble.com.
