On 29/01/11 05:23, mbruell wrote:
Amos Jeffries-2 wrote:
Start troubleshooting by reading the section "Troubleshooting" on the
wiki TPROXY page. Particularly the Q on timing out.
If proxying works when using port 3128, can I rule out issues with network
not allowing packets back to squid when in transparent mode (port 3129)?
No. Forward-proxy, intercept proxy and tproxy all have very different
packet behaviours.
Normal port 3128 (forward proxy) the packets are sent with IP addresses
browser->proxy and then proxy->Internet. With no possible way the
packets could take any other reply route than Internet->proxy->browser
Intercept packets gets sent from browser with browser->Internet IPs, and
from the proxy with proxy->Internet IPs. So again no possible way the
packets could go anywhere but back through the proxy.
With tproxy the packets *always* have browser->Internet IPs. So if
routing is screwed up in even a small way they will go directly back to
the browser which discards the invalid TCP seqnum details.
... then there are some people who hit problems with the libcap library
or security systems on their box (RP filters, SELinux, MAC-IP filtering
all block packet spoofing attacks which is what TPROXY does) and the
packets not actually getting into Squid. Or not being spoofed on the way
out.
I posted results of iptables, ip rules, and ip routes listing. I don't see
any issues with them - but please let me know if you do.
They look fine.
That "table 100" bit in the wiki may need to be created for each NIC on
the box, not just the lo interface.
Amos Jeffries-2 wrote:
Extra details to be aware of Ubuntu 10.04 official packages do not meet
the libcap dependency requirement for TPROXY. It's library is too old.
Squid-3.1 will not produce an obvious message about that before shutting
down TPROXY spoofing.
Ubuntu 10.10 has a mixed success rate.
I'm not wedded to 10.04. Would it be better to build the libcap packages
from latest stable source or move to 10.10?
That is up to you.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.10
Beta testers wanted for 3.2.0.4