On 20/09/11 22:42, Tux Mason wrote:
Hello, I need help to get TProxy working. When I set my browser to use the troxy port, netstat output shows SYN_SENT for a while and the connection times out.
Of course. Squid is required to invert the connecting IP addresses on arrival at a tproxy port. You CAN NOT send forward-proxy traffic from the browser to a Squid tproxy flagged port and have anything useful come out the WAN side of Squid.
Set your browser to use no proxy at all and the Squid box as its box gateway router.
Once that is done and being tested correctly. Check your rpfilter settings against the wiki page. I have reason to believe the wiki docs are now out of date as of kernel 2.6.35 and incorrect regarding rpfilter. But none has yet confirmed which altered settings we need.
When I set my browser to use the transparent port, content is fetched by the cache and the content is displayed in the browser
This is a bug. Which has been fixed in the 3.2 series.
I have configured my routing as follows, -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ip rule add fwmark 1 lookup 100 ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip<SQUID_BOX_PUBLIC_IP> --on-port 3129 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------- squid.conf excerpt ------------------------------------------------------------------------------------------------------------------------------------------------ http_port<SQUID_BOX_PUBLIC_IP>:3128 intercept
I see no NAT rules for port 3128 interception.
http_port<SQUID_BOX_PUBLIC_IP>:3129 tproxy ... acl public src<CLIENT_NETWORK> # public IPs acl localhost src 127.0.0.0/24 acl localnet src 192.168.2.0/24 acl localnet src 192.168.3.0/24 acl localnet src 10.10.10.0/24 ... http_access allow public http_access allow localnet http_access allow localhost http_access deny all ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Distro: Slackware 13.37 x86_64 Kernel: linux-3.0.4 ( tried 2.6.37 and 2.6.30 - connections time out) Squid version: 3.1.15 ( tried 3.1.12 - connections also time out) Any help will be greatly appreciated. Kind regards, Daniel
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.12