It is set up with 2 nics as a bridge. The routing I was refering to is only internal to the box.. ie through iptables On Thu, Apr 1, 2010 at 5:09 AM, johan firdianto <johanfirdi@xxxxxxxxx> wrote: > Make sure you have setup triangle routing correctly. > your squid act as bridge ? or act as router/gateway with dual > interface ethernet ? > or standalone server with single ethernet. > option 1 and 2, doesn't need routing setup, traffic incoming and > outgoing must hit the squid box. > But for option 3, you should setup your router to make sure outgoing > traffic to port 80 should hit the squid first, and forward to > internet, and the reply traffic from internet should come back to > squid box before forwarded to client. > > 2010/4/1 Kurt Sandstrom <sandmanaz@xxxxxxxxx>: >> I have the following in startup.... >> >> ip rule add fwmark 1 lookup 100 >> ip route add local 0.0.0.0/0 dev lo table 100 >> >> The ouput of ip route show table 100: local default dev lo scope host >> >> One other thing is strange, my PREROUTING rules in mangle don't load >> in my script. I have to manually add them. Timing issue perhaps? >> >> Startup script loded from rc.local: >> >> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >> echo 1 > /proc/sys/net/ipv4/ip_forward >> iptables -t mangle -N DIVERT >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> iptables -t mangle -A DIVERT -j ACCEPT >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >> --tproxy-mark 0x1/0x1 --on-port 3129 >> ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp >> --ip-dport 80 -j redirect --redirect-target DROP >> ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp >> --ip-sport 80 -j redirect --redirect-target DROP >> cd /proc/sys/net/bridge/ >> for i in * >> do >> echo 0 > $i >> done >> unset i >> >> ip rule add fwmark 1 lookup 100 >> ip route add local 0.0.0.0/0 dev lo table 100 >> >> >> 2010/3/31 Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx>: >>> ons 2010-03-31 klockan 09:47 -0700 skrev Kurt Sandstrom: >>>> I have been unable to get TPROXY working correctly with squid. I have >>>> used the steps in http://wiki.squid-cache.org/Features/Tproxy4 and re >>>> checked everything. >>>> >>> >>> I did not see your routing setup in the data you dumped. Without the >>> routing configured then TPROXY won't intercept, just route like normal.. >>> >>> http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration >>> >>> Regards >>> Henrik >>> >>> >> >
