Hello! I am using: - Slackware Linux Bridge working fine (eth0 = Internet and eth1 = Users) - Latest 2.6.37 kernel - Iptables 1.4.9 - Ebtables 2.0.9-2 - Squid 3.1.10 I configured squid.conf with http_port 3129 tproxy , and it's working: tcp 0 0 0.0.0.0:3129 0.0.0.0:* LISTEN 3370/(squid) My kernel has the support: # zcat /proc/config.gz | grep -E '(NF_CONNTRACK=|TPROXY|XT_MATCH_SOCKET|XT_TARGET_TPROXY)' CONFIG_NF_CONNTRACK=m CONFIG_NETFILTER_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_MATCH_SOCKET=m According to a research I did in this list, I should use, for this kernel: ip rule add dev fwmark 1 lookup 100 ip rule add dev eth0 fwmark 1 lookup 100 ip rule add dev eth1 fwmark 1 lookup 100 echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects ip route add local 0.0.0.0/0 dev lo table 100 ebtables -t broute -I BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --tproxy-mark 0x1/0x1 cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i When I try to connect from a user's computer to any websites, the connection hangs and never completes. I used tcpdump and can't see any packets redirected to 3129, but the rules have matches: Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 116 7168 DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 13 756 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 Chain INPUT (policy ACCEPT 115 packets, 7128 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 63 packets, 19880 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 63 packets, 19880 bytes) pkts bytes target prot opt in out source destination Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 116 7168 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 116 7168 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 If I delete the ebtables' rules, I can navigate, but without passing squid (the connections goes direct). Am I doing something wrong? Can you point me any discution or documentation regarding this issue? Thank you VERY much in advance for your time and help!!
