I'm trying to setup Squid 3.HEAD (3.2.x) in Fully transparent mode with brouting (ebtables) but don't ever see the sync request coming into squid. Anyone see what I'm missing? I started with Fedora 14 but read there could be issues with the kernel and dropped back to FC 12 to get Linux fw01.localdomain 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686 i686 i386 GNU/Linux My system config is as follows: I have three interfaces on the system... Eth1 is the the admin interface. Eth2 is the client side facing interface and Eth0 is facing the internet and br0 is the bridge. 011/03/13 10:35:33.169 kid1| The AsyncCall clientListenerConnectionOpened constructed, this=0xa2fb668 [call8] 2011/03/13 10:35:33.169 kid1| StartListening.cc(52) will call clientListenerConnectionOpened(FD 15, err=0, port=0xa07f410) [call8] 2011/03/13 10:35:33.169 kid1| The AsyncCall clientListenerConnectionOpened constructed, this=0xa2fb750 [call10] 2011/03/13 10:35:33.170 kid1| StartListening.cc(52) will call clientListenerConnectionOpened(FD 16, err=0, port=0xa07f498) [call10] 2011/03/13 10:35:33.170 kid1| The AsyncCall clientListenerConnectionOpened constructed, this=0xa2fb838 [call12] 2011/03/13 10:35:33.170 kid1| StartListening.cc(52) will call clientListenerConnectionOpened(FD 17, err=0, port=0xa07f520) [call12] 2011/03/13 10:35:33.170 kid1| HTCP Disabled. 2011/03/13 10:35:33.170 kid1| Squid plugin modules loaded: 0 2011/03/13 10:35:33.170 kid1| Adaptation support is off. 2011/03/13 10:35:33.170 kid1| Config.cc(134) FinalizeEach: Initialized 0 message adaptation services 2011/03/13 10:35:33.170 kid1| Config.cc(134) FinalizeEach: Initialized 0 message adaptation service groups 2011/03/13 10:35:33.170 kid1| Config.cc(134) FinalizeEach: Initialized 0 message adaptation access rules 2011/03/13 10:35:33.170 kid1| Ready to serve requests. 2011/03/13 10:35:33.170 kid1| entering clientListenerConnectionOpened(FD 15, err=0, port=0xa07f410) 2011/03/13 10:35:33.170 kid1| AsyncCall.cc(32) make: make call clientListenerConnectionOpened [call8] 2011/03/13 10:35:33.170 kid1| AcceptingHTTP Socket connections at FD 15 on [::]:3128 2011/03/13 10:35:33.171 kid1| leaving clientListenerConnectionOpened(FD 15, err=0, port=0xa07f410) 2011/03/13 10:35:33.171 kid1| entering clientListenerConnectionOpened(FD 16, err=0, port=0xa07f498) 2011/03/13 10:35:33.171 kid1| AsyncCall.cc(32) make: make call clientListenerConnectionOpened [call10] 2011/03/13 10:35:33.171 kid1| Accepting spoofingHTTP Socket connections at FD 16 on 0.0.0.0:3129 2011/03/13 10:35:33.171 kid1| leaving clientListenerConnectionOpened(FD 16, err=0, port=0xa07f498) 2011/03/13 10:35:33.171 kid1| entering clientListenerConnectionOpened(FD 17, err=0, port=0xa07f520) 2011/03/13 10:35:33.171 kid1| AsyncCall.cc(32) make: make call clientListenerConnectionOpened [call12] 2011/03/13 10:35:33.171 kid1| Accepting interceptedHTTP Socket connections at FD 17 on 0.0.0.0:3130 2011/03/13 10:35:33.171 kid1| leaving clientListenerConnectionOpened(FD 17, err=0, port=0xa07f520) 2011/03/13 10:35:34 kid1| storeLateRelease: released 0 objects Confirmed by lsof. root@fw01 ~]# lsof -i -nP | grep squid squid 2090 squid 7u IPv6 20137 0t0 UDP *:41566 squid 2090 squid 8u IPv4 20138 0t0 UDP *:48061 squid 2090 squid 15u IPv6 20383 0t0 TCP *:3128 (LISTEN) squid 2090 squid 16u IPv4 20384 0t0 TCP *:3129 (LISTEN) squid 2090 squid 17u IPv4 20385 0t0 TCP *:3130 (LISTEN) [root@fw01 ~]# ip rule list 0: from all lookup local 32765: from all fwmark 0x1 iif lo lookup 100 32766: from all lookup main 32767: from all lookup default NOTE: -- I get these errors when trying to add any additional routing [root@fw01 ~]# ip route add local 0.0.0.0/0 dev eth0 table 100 RTNETLINK answers: File exists [root@fw01 ~]# ip route add local 0.0.0.0/0 dev eth2 table 100 RTNETLINK answers: File exists [root@fw01 ~]# ip route list table all local default dev lo table 100 scope host 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.90 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.78 metric 1 default via 192.168.1.254 dev br0 broadcast 192.168.1.0 dev eth1 table local proto kernel scope link src 192.168.1.78 broadcast 192.168.1.0 dev br0 table local proto kernel scope link src 192.168.1.90 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 local 192.168.1.90 dev br0 table local proto kernel scope host src 192.168.1.90 broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.78 broadcast 192.168.1.255 dev br0 table local proto kernel scope link src 192.168.1.90 local 192.168.1.78 dev eth1 table local proto kernel scope host src 192.168.1.78 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev eth2 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev br0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255 local ::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0 local fe80::207:e9ff:fee5:ac7a via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0 local fe80::240:f4ff:fecd:170 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0 local fe80::240:f4ff:fecd:170 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0 local fe80::2a0:c9ff:fe08:4c26 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0 ff00::/8 dev eth1 table local metric 256 mtu 1500 advmss 1440 hoplimit 0 ff00::/8 dev eth2 table local metric 256 mtu 1500 advmss 1440 hoplimit 0 ff00::/8 dev br0 table local metric 256 mtu 1500 advmss 1440 hoplimit 0 ff00::/8 dev eth0 table local metric 256 mtu 1500 advmss 1440 hoplimit 0 unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255 [root@fw01 ~]# [root@fw01 ~]# ifconfig -a br0 Link encap:Ethernet HWaddr 00:40:F4:CD:01:70 inet addr:192.168.1.90 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::240:f4ff:fecd:170/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:144404 errors:0 dropped:0 overruns:0 frame:0 TX packets:22080 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:181401897 (172.9 MiB) TX bytes:27113936 (25.8 MiB) eth0 Link encap:Ethernet HWaddr 00:A0:C9:08:4C:26 inet6 addr: fe80::2a0:c9ff:fe08:4c26/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:151170 errors:0 dropped:0 overruns:0 frame:0 TX packets:22109 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:190817348 (181.9 MiB) TX bytes:27115370 (25.8 MiB) eth1 Link encap:Ethernet HWaddr 00:07:E9:E5:AC:7A inet addr:192.168.1.78 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::207:e9ff:fee5:ac7a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13464 errors:0 dropped:0 overruns:0 frame:0 TX packets:29328 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:959581 (937.0 KiB) TX bytes:38109473 (36.3 MiB) eth2 Link encap:Ethernet HWaddr 00:40:F4:CD:01:70 inet6 addr: fe80::240:f4ff:fecd:170/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:28 errors:0 dropped:0 overruns:0 frame:0 TX packets:135268 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1872 (1.8 KiB) TX bytes:182786344 (174.3 MiB) Interrupt:18 Base address:0x2800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:14 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1308 (1.2 KiB) TX bytes:1308 (1.2 KiB) pan0 Link encap:Ethernet HWaddr 3A:5D:43:EE:D1:16 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) [root@fw01 ~]# Bridge config: [root@fw01 logs]# ebtables-save # Generated by ebtables-save v1.0 on Sun Mar 13 10:52:47 PDT 2011 *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT *broute :BROUTING ACCEPT -A BROUTING -p IPv4 -i eth2 --ip-proto tcp --ip-dport 80 --log-level notice --log-prefix "ebt-dport-80:" -j redirect --redirect-target DROP -A BROUTING -p IPv4 -i eth0 --ip-proto tcp --ip-sport 80 --log-level notice --log-prefix "ebt-sport-80:" -j redirect --redirect-target DROP ----------- Mar 13 11:04:47 fw01 kernel: ebt-sport-80: IN=eth0 OUT= MAC source = b0:e7:54:6b:38:c9 MAC dest = 00:40:f4:cd:01:70 proto = 0x0800 Mar 13 11:05:08 fw01 kernel: ebt-sport-80: IN=eth0 OUT= MAC source = b0:e7:54:6b:38:c9 MAC dest = 00:40:f4:cd:01:70 proto = 0x0800 Mar 13 11:05:57 fw01 kernel: ebt-sport-80: IN=eth0 OUT= MAC source = b0:e7:54:6b:38:c9 MAC dest = 00:40:f4:cd:01:70 proto = 0x0800 Mar 13 11:08:48 fw01 kernel: ebt-dport-80: IN=eth2 OUT= MAC source = 00:50:56:36:df:78 MAC dest = 00:17:f2:09:8a:56 proto = 0x0800 Mar 13 11:08:51 fw01 kernel: ebt-dport-80: IN=eth2 OUT= MAC source = 00:50:56:36:df:78 MAC dest = 00:17:f2:09:8a:56 proto = 0x0800 [root@fw01 ~]# cat /var/log/messages | grep PROXYIT Mar 13 10:41:24 fw01 kernel: IPT_PROXYIT: IN=eth2 OUT= MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61864 DF PROTO=TCP SPT=40748 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 13 10:41:27 fw01 kernel: IPT_PROXYIT: IN=eth2 OUT= MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61865 DF PROTO=TCP SPT=40748 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 13 10:41:33 fw01 kernel: IPT_PROXYIT: IN=eth2 OUT= MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61866 DF PROTO=TCP SPT=40748 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 ------------ I created a PROXYIT table to confirm the routing and also, the filter table is empty. [root@fw01 ~]# iptables -t mangle -L -v Chain PREROUTING (policy ACCEPT 649K packets, 873M bytes) pkts bytes target prot opt in out source destination 33821 1936K DIVERT tcp -- any any anywhere anywhere socket 17 1020 PROXYIT tcp -- any any anywhere anywhere tcp dpt:http 649K 873M LOGTPROXY2 all -- any any anywhere anywhere Chain INPUT (policy ACCEPT 34681 packets, 2071K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 88 packets, 117K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 27623 packets, 96M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 27731 packets, 96M bytes) pkts bytes target prot opt in out source destination Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 33821 1936K MARK all -- any any anywhere anywhere MARK or 0x1 33821 1936K LOGDIVERT all -- any any anywhere anywhere 33821 1936K ACCEPT all -- any any anywhere anywhere Chain LOGDIVERT (1 references) pkts bytes target prot opt in out source destination 1862 115K LOG all -- any any anywhere anywhere limit: avg 1/sec burst 10 LOG level warning prefix `IPT_LOGDIVERT: ' 33821 1936K RETURN all -- any any anywhere anywhere Chain LOGTPROXY1 (0 references) pkts bytes target prot opt in out source destination Chain LOGTPROXY2 (1 references) pkts bytes target prot opt in out source destination 1863 2520K LOG all -- any any anywhere anywhere limit: avg 1/sec burst 10 LOG level warning prefix `IPT_TPROXY2: ' Chain PROXYIT (1 references) pkts bytes target prot opt in out source destination 17 1020 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 10 LOG level warning prefix `IPT_PROXYIT: ' 17 1020 TPROXY tcp -- any any anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:3129 mark 0x1/0xffffffff I can use squidclient to read cache stats so I'm pretty sure squid is setup ok. [root@fw01 logs]# squidclient -p 3128 mgr:info HTTP/1.1 200 OK Server: squid/3.HEAD-20110307 Mime-Version: 1.0 Date: Sun, 13 Mar 2011 18:02:05 GMT Content-Type: text/plain Expires: Sun, 13 Mar 2011 18:02:05 GMT Last-Modified: Sun, 13 Mar 2011 18:02:05 GMT X-Cache: MISS from fw01.localdomain Via: 1.1 fw01.localdomain (squid/3.HEAD-20110307) Connection: close Squid Object Cache: Version 3.HEAD-20110307 Start Time: Sun, 13 Mar 2011 18:01:54 GMT Current Time: Sun, 13 Mar 2011 18:02:05 GMT Connection information for squid: Number of clients accessing cache: 1 Number of HTTP requests received: 0 Number of ICP messages received: 0 Number of ICP messages sent: 0 Number of queued ICP replies: 0 Number of HTCP messages received: 0 Number of HTCP messages sent: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 0.0 Average ICP messages per minute since start: 0.0 Select loop called: 1113 times, 9.587 ms avg What I'm i missing? I'm pretty sure it's in the routing layer as it looks like both IPTables and EBTables seem to be doing the right thing. James S. Binder Vice President, Engineering jbinder@xxxxxxxxxxx 408.761.1403 (cell) This information contained in this e-mail message and any attachments thereto, is intended only for the personal and confidential use of the recipient(s) named above. This message may be under the terms of a Mutual Non-Disclosure Agreement communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify use immediately by e-mail and delete this original message.