Search squid archive

Re: transparent proxy in squid3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06.03.2012 11:09, pplive wrote:

Dear Amos,

To see whether there were some internal firewall in my system , I
tried a simpler topology, i.e.,
Client (10.0.0.1) (eth0) -> (eth0) Squid3 (eth1) -> (eth0) Server (10.0.0.2) 

I just follow the setting in

http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 8080 -j redirect --redirect-target ACCEPT
"ACCEPT" on the layer-2 bridging is to handle the packet entirely at that low layer.
It needs to be "DROP"ed out of the bridging layer into to iptables layer handling before NAT can change the IP/port and routing can shift it to INPUT path where Squid gets it. 




iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT
--to-port 3128
According to tcpdump, we can see the packets are forwarded to port 3128 
(I use wget 10.0.0.2:8080 at the client)

14:04:50.282381 IP 10.0.0.1.33088 > 10.0.0.10.3128: Flags [S], seq
388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr
0,nop,wscale 6], length 0
14:04:53.212426 IP 10.0.0.1.33088 > 10.0.0.10.3128: Flags [S], seq
388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr
0,nop,wscale 6], length 0
Still, I am confusing of using one NIC, how can I redirect the packets 
to port 3128.
NAT is a special system which can change packets on both bridging and routing layers but does not itself make them change layer.
So what the above trace shows is that packets arriving are NAT/NAPT changed as they flow through the bridge. But not anything else.
tcpdump gets packets before any of the iptables etc handling gets done to them. So its useful to verify that the packets are arriving and/or leaving the NIC as expected. but not much help deciphering what is happening to them in the middle around where Squid sits. 
 We have to rely on ebtables/iptables LOG functionality for those bits.
I'm sorry I can't be of much more help. Beyond suggesting to try later versions of the software including kernel I've run out of ideas. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux