Hi,
Any suggestions please.
My Current Network Setup:
WAN ROUTER(114.30.XX.1 --- public ip)
|
|
|
SWITCH
|
|
|
SQUID BOX (114.30.XX.19 gw: 114.30.XX.1) ( bridge mode)
|
|
|
BANDWITH MGMT. LINUX BOX ( 114.30.XX.10 gw: 114.30.XX.1)
|
|
|
END USERS ( mix with private ips and public ips )
at squid box : eth0 ----->internet( cable from switch)
eth1-----> cable connected to BANDWITH MGMT. LINUX BOX)
i am using centos 6 and squid version is 3.1.10
I can see traffic in tproxy iptables rules but i can not get any
request to access.log
Kindly guide me to solve this problem.
Regards,
Benjamin
On Wed, Aug 17, 2011 at 7:15 PM, benjamin fernandis
<benjo11111@xxxxxxxxx> wrote:
> Hi,
>
> I configured squid for tproxy feature in my network with bridge mode.
>
> I follow http://wiki.squid-cache.org/Features/Tproxy4
>
> But I m not getting requests in access.log of squid.
>
> My configuration:
>
> cat /etc/squid/squid.conf
>
> #
> # Recommended minimum configuration:
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl localhost src ::1/128
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl to_localhost dst ::1/128
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl mynetwork src '/etc/squid/mynetwork'
> acl cache_deny dst '/etc/squid/deny1'
>
>
> cache deny cache_deny
> #
> cache_mem 1024 MB
>
>
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow mynetwork
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
> http_port 3129 tproxy
>
> # We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir aufs /cache/squid 25600 32 512
>
> # Leave coredumps in the first cache dir
> coredump_dir /cache/squid
> httpd_suppress_version_string on
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> ip rule list
> 0: from all lookup local
> 32765: from all fwmark 0x1 lookup 100
> 32766: from all lookup main
> 32767: from all lookup default
>
> iptables -L -nvx -t mangle
> Chain PREROUTING (policy ACCEPT 959157 packets, 79545939 bytes)
> pkts bytes target prot opt in out source
> destination
> 10993 689414 DIVERT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 socket
> 16765 1000259 TPROXY tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
> 0x1/0x1
>
> Chain INPUT (policy ACCEPT 15122 packets, 1149717 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 959996 packets, 79295677 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 28272 packets, 10090599 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 988265 packets, 89386044 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain DIVERT (1 references)
> pkts bytes target prot opt in out source
> destination
> 10993 689414 MARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK set 0x1
> 10993 689414 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
> ebtables -t broute --list
> Bridge table: broute
>
> Bridge chain: BROUTING, entries: 2, policy: ACCEPT
> -p IPv4 -i eth0 --ip-proto tcp --ip-dport 80 -j redirect
> -p IPv4 -i eth1 --ip-proto tcp --ip-sport 80 -j redirect
>
> OS CENTOS 6 64 bit
> squid : 3.1.4
> KERNEL : 2.6.32-71.29.1.el6.x86_64
>
>
> Please guide me.
>
> Thanks,
> Benjamin
>
