Amos, Hi The packet counter on -j TPROXY does not increment. So, why clients are able to surf the web? Warm Regards, Ali Majdzadeh Kohbanani 2011/6/6 Ali Majdzadeh <ali.majdzadeh@xxxxxxxxx> > > Amos, > Hi > Thanks for your reply. Ragarding the documentation, I have inserted > the following routing rules: > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > Now, access.log is populated with proper logs, but clients can not > surf the web, I mean the proxy server is unable to forward http > responses to clients' browsers. When the client enters for example > www.google.com, the connection to the http server is established but > the process halts at Waiting for www.google.com and after a while > Squid reports the unablility to retreive the requested URL. > By the way, we have disabled selinux. > Any ideas? > > Warm Regards, > Ali Majdzadeh Kohbanani > > 2011/6/6 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > > On 06/06/11 06:32, Ali Majdzadeh wrote: > >> > >> Hello All, > >> I have setup the following configuration: > >> Squid (3.1.12) (--enable-linux-netfilter passed as the one and only > >> configure option) > >> Kernel (2.6.38.3) > >> iptables (1.4.11) > >> > >> I have added the following two directives in squid.conf: > >> http_port 3128 > >> http_port 3129 tproxy > >> > >> Also, I have configured iptables with the following rules: > >> iptables -t mangle -N DIVERT > >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 > >> iptables -t mangle -A DIVERT -j ACCEPT > >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY > >> --tproxy-mark 0x1/0x1 --on-port 3129 > >> > >> Everything work as expected, I mean, the users can surf the web and > >> the proxy server is transparent. The problem is that actually there is > >> no caching. I mean, both cache.log and access.log files are empty. On > > > > That would be transparency to the point of not going through the proxy. > > access.log should have entries for each request. > > > >> the other hand, if I manually set the proxy configuration in clients' > >> browsers (the IP address of the squid server and port number 3128) > >> everything is OK; the log files are incremented and objects are > >> cached. > >> > >> Have anyone faced the same issue? > > > > Some. Its usually boiled down to missing out some details omitted. building > > against libcap2 or routing packets to the squid box for example. > > > > Are the packet counters on that -j TPROXY rule showing captures? > > > > Did you follow the rest of the feature config? > > ie the special sub-routing table? OS packet filtering toggles? selinux > > updated to allow tproxy? > > > > Is this box even routing or bridging port 80 traffic for the network? > > > > Amos > > -- > > Please be using > > Current Stable Squid 2.7.STABLE9 or 3.1.12 > > Beta testers wanted for 3.2.0.8 and 3.1.12.2 > >
