On 21/08/11 05:04, John Hardin wrote:
On Sat, 20 Aug 2011, Ritter, Nicholas wrote:
What kernel/iptables/distro are you using?
I am getting this exact same problem and I copied the iptables rules
from my working TPROXY/SQUID setup and the only difference was the
kernel and iptables version.
I think there is some TPROXY breakage somewhere in the later kernels,
I have a very similar setup and I have no problems.
athena ~ # equery l squid iptables
* Searching for squid ...
[IP-] [ ] net-proxy/squid-3.1.8:0
* Searching for iptables ...
[IP-] [ ] net-firewall/iptables-1.4.11.1-r2:0
athena ~ # uname -a
Linux athena 2.6.36-hardened-r9 blah blah blah
I don't know if that qualifies as a "later kernel" or not.
Those firewall rules seem overly complex, try it without fwmark:
# No masq of HTTP traffic, must go via proxy
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports
80,8000,8008,8080,8088,8800,8880,8888 -j REDIRECT --to-port 3129
NAT is a very different beast to TPROXY at the IP level. For starters
the outgoing IP address in NAT is one assigned to the Squid box.
They have already tried with manually configured proxy, which performs
the same outgoing connection actions as NAT would. That works. A NAT
test will provide no new information.
The fwmark and DIVERT rules are there to prevent packets being
intercepted multiple times into Squid. Since the outgoing packet has
identical addressing to the incoming packet an both pass through the
mangle table PREROUTING capture rules as they begin processing.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.10
