Hi Guys, first post. I know there is a lot of material about configuring Squid in Interception Mode in the wiki / lists, like others I'm struggling to understand where problems might exist, currently I have only got as far as routing, ideally I would like a bridged solution. I want to describe completely what my configuration is I think this maybe useful to other users. I have based my installation on the information on this page: http://wiki.squid-cache.org/Features/Tproxy4 Overall I think the posting is clear, I think it could be improved by adding commands that demonstrate whether the configuration just applied succeeded or not. My approach is that ideally I could use a distro for the base and inherit everything I need without having to compile code / kernel / etc. Using Fedora 13 I get the following binaries, comparing these to the prereqs the are all > the defined versions: Kernel: 2.6.33.5-124 iptables: 1.4.7-2 Squid: 3.1.4-2 libcap: 2.17-1 The Fedora 13 distro has the following Kernel options set: CONFIG_NF_CONNTRACK=y CONFIG_NETFILTER_TPROXY=m CONFIG_NETFILTER_XT_MATCH_SOCKET=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m >From the squid.spec from the src rpm shipped with Fedora 13 i.e. squid-3.1.4-2.fc13.src.rpm I can see that the enable linux netfilter is configured ... ... %ifnarch ppc64 ia64 x86_64 s390x --with-large-files \ %endif --enable-linux-netfilter \ --enable-referer-log \ --enable-removal-policies="heap,lru" \ --enable-snmp \ ... ... lsmod on the Squid Host shows tproxy module loaded. Module Size Used by sunrpc 192013 1 cpufreq_ondemand 8420 4 acpi_cpufreq 7477 1 freq_table 3851 2 cpufreq_ondemand,acpi_cpufreq iptable_nat 5420 0 nf_nat 19059 1 iptable_nat xt_TPROXY 2102 1 xt_socket 2525 1 nf_tproxy_core 2163 2 xt_TPROXY,xt_socket,[permanent] xt_MARK 1007 1 iptable_mangle 3107 1 ip6t_REJECT 4055 2 nf_conntrack_ipv6 17513 2 ip6table_filter 2743 1 ip6_tables 16558 1 ip6table_filter ipv6 267033 36 ip6t_REJECT,nf_conntrack_ipv6 uinput 7230 0 tg3 103314 0 pl2303 14822 0 usbserial 32421 1 pl2303 i3200_edac 3104 0 serio_raw 4539 0 edac_core 37487 2 i3200_edac iTCO_wdt 10864 0 iTCO_vendor_support 2451 1 iTCO_wdt i2c_i801 10086 0 microcode 17930 0 radeon 589438 0 ttm 53215 1 radeon drm_kms_helper 23936 1 radeon drm 169073 3 radeon,ttm,drm_kms_helper i2c_algo_bit 4781 1 radeon i2c_core 24507 5 i2c_i801,radeon,drm_kms_helper,drm,i2c_algo_bit My setup is as follows: Client (172.27.5.109) -> Squid Host (172.27.5.104) -> Gateway (172.27.5.1) Internet access from Squid Host is working correctly. # cat /proc/sys/net/ipv4/conf/lo/rp_filter; cat /proc/sys/net/ipv4/ip_forward 0 1 I modified the default /etc/squid/squid.conf and added the following: acl our_networks src 172.27.1.0/24 172.27.2.0/24 172.27.3.0/24 172.27.4.0/24 172.27.5.0/24 172.27.6.0/24 172.27.7.0/24 http_access allow our_networks ... # Squid normally listens to port 3128 http_port 3128 http_port 3129 tproxy I was getting an error about TPROXY not being present, I disabled selinux as suggested in the wiki page and startup proceeded ok. Start Squid and netstat the port 3128 is there and I can connect directly to it and get back content (access.log / cache.log content is as expected) Completing the router configuration as per http://wiki.squid-cache.org/Features/Tproxy4#iptables on a Router device I get the following: ip rule show 0: from all lookup local 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default NOTE, should there be more values here? If I do not run ip rule add fwmark 1 lookup 100 I get an empty response no values # ip route list table 100 local default dev lo scope host Note below as described in wiki DIVERT is before TPROXY in the PREROUTING. /etc/init.d/iptables status Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Table: mangle Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket 2 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination Chain DIVERT (1 references) num target prot opt source destination 1 MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination # ifconfig eth0 Link encap:Ethernet HWaddr 00:21:5E:4D:CB:9A inet addr:172.27.5.104 Bcast:172.27.5.255 Mask:255.255.255.0 inet6 addr: fe80::221:5eff:fe4d:cb9a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2116 errors:0 dropped:0 overruns:0 frame:0 TX packets:1289 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:243203 (237.5 KiB) TX bytes:219417 (214.2 KiB) Interrupt:16 eth1 Link encap:Ethernet HWaddr 00:21:5E:4D:CB:9B UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:21 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:240 (240.0 b) TX bytes:240 (240.0 b) # ping 0.0.0.0 PING 0.0.0.0 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.042 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.012 ms ^C In this configuration I can connect directly to 3128 using firefox and return webpages. Turning the proxy setting off in Firefox the browser hangs then times out. >From the client if I try to ping an address in the internet the ping hangs. Any help would be gratefully received, Damian. -- Damian O'Neill, Director Software Solutions, BTI Systems, Belfast, UK