Dear Amos, I did restart the networking. When I just to review all iptables settings, from tcpdump we can see 09:35:23.830038 IP nodes-links.37711 > noder-linkr.http-alt: Flags [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val 59678297 ecr 0,nop,wscale 6], length 0 09:35:26.827763 IP nodes-links.37711 > noder-linkr.http-alt: Flags [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val 59679047 ecr 0,nop,wscale 6], length 0 09:35:28.828079 ARP, Request who-has noder-linkr tell nodes-links, length 46 I think the nodec1 (my squid3 machine) is even able to start an ARP query. My OS is Ubuntu, kernel version yeung@nodec1:/etc/squid3$ uname -r 2.6.32-34-generic-pae I have checked the rp_filter setting, it has been disabled. Sorry for causing you trouble. Best, Alex On Mon, Mar 5, 2012 at 4:56 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 5/03/2012 4:29 p.m., pplive wrote: >> >> Dear Amos, >> >> >> On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote: >>> >>> On 05.03.2012 06:40, pplive wrote: >>>> >>>> Dear Amos, >>>> >>>> Thanks a lot! By looking at your URL, I have enter the following >>>> commands in my squid3 machine (my HTTP service is at PORT 8080), the >>>> squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at >>>> 10.0.2.1, HTTP client (nodes) is at 10.0.1.1: >>>> >>>> yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp >>>> --dport 8080 -j ACCEPT >>>> yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 >>>> -j DNAT --to-destination 10.0.3.1:3128 >>>> yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE >>>> yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport >>>> 3128 -j DROP >>>> >>> <snip> >>> >>> >>>> However, the proxy still has some problem, when we start wget from the >>>> HTTP client >>>> yeung@nodes:~$ wget 10.0.2.1:8080 >>>> --2012-03-04 09:31:39-- http://10.0.2.1:8080/ >>>> Connecting to 10.0.2.1:8080... ^C >>> >>> >>> So far good (modulo the testing with port-8080 factor). >>> >>> >>>> yeung@nodes:~$ >>>> >>>> We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the >>>> following message: >>>> 09:31:39.384558 IP nodes-links.51902> noder-linkr.http-alt: Flags >>>> [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val >>>> 38022185 ecr 0,nop,wscale 6], length 0 >>>> 09:31:42.379034 IP nodes-links.51902> noder-linkr.http-alt: Flags >>>> [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val >>>> 38022935 ecr 0,nop,wscale 6], length 0 >>>> >>>> It seems that there were some HTTP-alt traffic coming in from the >>>> switch, but no HTTP traffic going out of the squid3 machine. >>>> >>> Is this a dump of all packets involving port 8080? or did you add an IP >>> address or interface direction to hide some packets? >> >> Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages >> as follows (as the squid3 machine is connected to a programmable >> switch): > > >>> Does Squid already have a cached copy of the URL object being used as a >>> test? >> >> There is nothing in access.log > > > I'm thinking it is probably something in the kernel security controls then. > SELinux can block interception because it is an MITM attack on the clients. > Also rp_filter can block the TCP connections in strange places and show up > like this. Did you restart the networking on the squid box after changing > sysctl.conf (/etc/init.d/networking restart) > > Amos
