Dear Amos, To see whether there were some internal firewall in my system , I tried a simpler topology, i.e., Client (10.0.0.1) (eth0) -> (eth0) Squid3 (eth1) -> (eth0) Server (10.0.0.2) I just follow the setting in http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 8080 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT --to-port 3128 According to tcpdump, we can see the packets are forwarded to port 3128 (I use wget 10.0.0.2:8080 at the client) 14:04:50.282381 IP 10.0.0.1.33088 > 10.0.0.10.3128: Flags [S], seq 388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr 0,nop,wscale 6], length 0 14:04:53.212426 IP 10.0.0.1.33088 > 10.0.0.10.3128: Flags [S], seq 388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr 0,nop,wscale 6], length 0 Still, I am confusing of using one NIC, how can I redirect the packets to port 3128. Thanks a lot! Best regards, Alex On Mon, Mar 5, 2012 at 4:19 PM, pplive <p2pnet10@xxxxxxxxxxxxxx> wrote: > Dear Amos, > > I did restart the networking. > > When I just to review all iptables settings, from tcpdump we can see > > 09:35:23.830038 IP nodes-links.37711 > noder-linkr.http-alt: Flags > [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val > 59678297 ecr 0,nop,wscale 6], length 0 > 09:35:26.827763 IP nodes-links.37711 > noder-linkr.http-alt: Flags > [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val > 59679047 ecr 0,nop,wscale 6], length 0 > 09:35:28.828079 ARP, Request who-has noder-linkr tell nodes-links, length 46 > > I think the nodec1 (my squid3 machine) is even able to start an ARP query. > > My OS is Ubuntu, kernel version > yeung@nodec1:/etc/squid3$ uname -r > 2.6.32-34-generic-pae > > I have checked the rp_filter setting, it has been disabled. > > Sorry for causing you trouble. > > Best, > Alex > > > On Mon, Mar 5, 2012 at 4:56 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On 5/03/2012 4:29 p.m., pplive wrote: >>> >>> Dear Amos, >>> >>> >>> On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote: >>>> >>>> On 05.03.2012 06:40, pplive wrote: >>>>> >>>>> Dear Amos, >>>>> >>>>> Thanks a lot! By looking at your URL, I have enter the following >>>>> commands in my squid3 machine (my HTTP service is at PORT 8080), the >>>>> squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at >>>>> 10.0.2.1, HTTP client (nodes) is at 10.0.1.1: >>>>> >>>>> yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp >>>>> --dport 8080 -j ACCEPT >>>>> yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 >>>>> -j DNAT --to-destination 10.0.3.1:3128 >>>>> yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE >>>>> yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport >>>>> 3128 -j DROP >>>>> >>>> <snip> >>>> >>>> >>>>> However, the proxy still has some problem, when we start wget from the >>>>> HTTP client >>>>> yeung@nodes:~$ wget 10.0.2.1:8080 >>>>> --2012-03-04 09:31:39-- http://10.0.2.1:8080/ >>>>> Connecting to 10.0.2.1:8080... ^C >>>> >>>> >>>> So far good (modulo the testing with port-8080 factor). >>>> >>>> >>>>> yeung@nodes:~$ >>>>> >>>>> We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the >>>>> following message: >>>>> 09:31:39.384558 IP nodes-links.51902> noder-linkr.http-alt: Flags >>>>> [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val >>>>> 38022185 ecr 0,nop,wscale 6], length 0 >>>>> 09:31:42.379034 IP nodes-links.51902> noder-linkr.http-alt: Flags >>>>> [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val >>>>> 38022935 ecr 0,nop,wscale 6], length 0 >>>>> >>>>> It seems that there were some HTTP-alt traffic coming in from the >>>>> switch, but no HTTP traffic going out of the squid3 machine. >>>>> >>>> Is this a dump of all packets involving port 8080? or did you add an IP >>>> address or interface direction to hide some packets? >>> >>> Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages >>> as follows (as the squid3 machine is connected to a programmable >>> switch): >> >> >>>> Does Squid already have a cached copy of the URL object being used as a >>>> test? >>> >>> There is nothing in access.log >> >> >> I'm thinking it is probably something in the kernel security controls then. >> SELinux can block interception because it is an MITM attack on the clients. >> Also rp_filter can block the TCP connections in strange places and show up >> like this. Did you restart the networking on the squid box after changing >> sysctl.conf (/etc/init.d/networking restart) >> >> Amos
