Eliezer Hi Thanks for your email, and sorry if I couldn't properly describe the case. Yes, I need an intercepting transparent proxy in which all clients use their own IP address in order to surf the web while the proxy server is kept transparent to them. I am using Debian Lenny. Here are some details about the platform: Kernel: 2.6.38.3 (NF_CONNTRACK=m, NETFILTER_TPROXY=m, NETFILTER_XT_MATCH_SOCKET=m, NETFILTER_XT_TARGET_TPROXY=m) iptables: 1.4.10 Squid: 3.1.12.1 (--enable-linux-netfilter) I have configured all those firewall rules mentioned by the tutorial: # iptables -t mangle -N DIVERT # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT # iptables -t mangle -A DIVERT -j MARK --set-mark 1 # iptables -t mangle -A DIVERT -j ACCEPT # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 Also, I have entered the following two lines in squid.conf: http_port 3128 http_port 3129 tproxy The proxy server is a one-NIC machine which is connected to the Internet via its default gateway. # ip rule list 0: from all lookup local 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default # ip route list table all local default dev lo table 100 scope host 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.17 169.254.0.0/16 dev eth0 scope link metric 1000 default via 192.168.1.1 dev eth0 local 192.168.1.17 dev eth0 table local proto kernel scope host src 192.168.1.17 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.17 broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.17 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 fe80::/64 dev eth0 proto kernel metric 256 unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255 local ::1 via :: dev lo table local proto none metric 0 hoplimit 4294967295 local fe80::208:2ff:fe95:7a77 via :: dev lo table local proto none metric 0 hoplimit 4294967295 ff00::/8 dev eth0 table local metric 256 unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255 The problem is that the kernel does not accept the following: # ip route add local 0.0.0.0/0 dev lo table 100 Thanks again. Warm Regards, Ali Majdzadeh Kohbanani 2011/8/13 Eliezer Croitoru <eliezer@xxxxxxxxxxxxxxxxxx> > > are you sure you need it as a tproxy and not an INTERCEPTION software? > give us some info on the os and othe stuff on the system and subnet etc. > > On 13/08/2011 00:32, Ali Majdzadeh wrote: > > Dear All, > I have followed these two guides in order to setup transparent caching > using TProxy and Squid, but without any success. > > http://wiki.squid-cache.org/Features/Tproxy4 > http://wiki.squid-cache.org/ConfigExamples/Intercept/CentOsTproxy4?action=show&redirect=ConfigExamples%2FTPROXYPatchingCentOS > > Actually, the following command fails: > # ip route add local 0.0.0.0/0 dev lo table 100 > RTNETLINK answers: File exists > > Is there any solution to this? Any suggestions? I have precisely > followed the guides. It should be noted that I am trying to setup a > normal scenario where the proxy box is connected to the internet using > its default gateway and it has only one interface. > > Warm Regards, > Ali Majdzadeh Kohbanani >
