On Sat, 20 Aug 2011, Ritter, Nicholas wrote:
What kernel/iptables/distro are you using? I am getting this exact same problem and I copied the iptables rules from my working TPROXY/SQUID setup and the only difference was the kernel and iptables version. I think there is some TPROXY breakage somewhere in the later kernels,
I have a very similar setup and I have no problems. athena ~ # equery l squid iptables * Searching for squid ... [IP-] [ ] net-proxy/squid-3.1.8:0 * Searching for iptables ... [IP-] [ ] net-firewall/iptables-1.4.11.1-r2:0 athena ~ # uname -a Linux athena 2.6.36-hardened-r9 blah blah blah I don't know if that qualifies as a "later kernel" or not. Those firewall rules seem overly complex, try it without fwmark: # No masq of HTTP traffic, must go via proxy /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 80,8000,8008,8080,8088,8800,8880,8888 -j REDIRECT --to-port 3129
-----Original Message----- From: User User [mailto:netwotkstudent@xxxxxxxxx] Sent: Saturday, August 20, 2011 10:16 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Tproxy time Hi, I have a linux box which I installed Squid. I used steps from wiki links (http://wiki.squid-cache.org/Features/Tproxy4) to compile kernel , iptables ,... The box working normal on 3128 when I set manual proxy on client , but for tproxy tranparnet mode I am getting timeout on client after some minutes. I am routing traffic from client to this box and try to catch the but iptables (tproxy).I am seeing requests on access log too. http_port 3128 http_port 3129 tproxy ip rule add fwmark 1 lookup 100 ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 thanks for your help.
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhardin@xxxxxxxxxx FALaholic #11174 pgpk -a jhardin@xxxxxxxxxx key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- ...much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs. -- Bruce Schneier ----------------------------------------------------------------------- 4 days until the 1932nd anniversary of the destruction of Pompeii
