Search squid archive

Re: Tproxy 3.1 problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




[Re-posting to clean up the NASTY quoting by Daniels mailer.]


First, Daniel Echizen wrote:

Hi,
Im facing a weird problem with tproxy few weeks, the problem is, all
work fine except clients that is behind a tplink router and another
one that i dont remembe, but almost tplink wr541g routers, if i remove
iptables mangle redirect rule, client has traffic, enable not, dont
speak english very well, so i hope someone can understand and help
me.. this is a server with 1000+ clients, and im getting very
frustrated with this problem.

my config:

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

/sbin/iptables -v -t mangle -N DIVERT
/sbin/iptables -v -t mangle -A DIVERT -j MARK --set-mark 1
/sbin/iptables -v -t mangle -A DIVERT -j ACCEPT
/sbin/iptables -v -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
/sbin/iptables -v -t mangle -D PREROUTING -p tcp --dport 80 \
-j TPROXY --tproxy-mark 0x1/0x1 --on-port 5128 2>&1

/usr/local/sbin/ebtables -t broute -A BROUTING -i eth5 -p ipv4
--ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
/usr/local/sbin/ebtables -t broute -A BROUTING -i eth3 -p ipv4
--ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP

cd /proc/sys/net/bridge/
for i in *
do
echo 0>  $i
done
unset i

echo 0>  /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0>  /proc/sys/net/ipv4/conf/all/rp_filter
echo 1>  /proc/sys/net/ipv4/ip_forward


i hav 2 interfaces in bridge, as i said.. all working fine.. except
with this tplink routers
also got log in iptable mangle, and then i can see traffic from the
client router, but traffic cant reach squid
, in access.log cant get anything
i use a mikrotik as pppoe-server, my network is:

router<->  squidbox<->  mikrotik<->  clients



Then, Amos Jeffries wrote:
With Squid inline on a bridge like this there should be *no* squid
related configuration outside the Squid box.

Is the tplink being used as "router" or "squidbox" in that diagram?

What kernel and iptables version is the squidbox? some of the older
2.6.3x kernels have bridge+tproxy problems.


Amos





On 02/05/2012 19:08, Daniel Echizen wrote:

I got some more info.. the conection from client tplink dont answer
syn, ack in tshark.. i can see syn ->  |  ack<- | syn, ack ->  , but
final ack from client dont..
i upgrated kernel to 3.3.4 and iptables to 1.4.13 .. all work fine
except the problem with tplink wireless router..


On 03.05.2012 07:06, Eliezer Croitoru wrote:
for how many clients are you having the problem?

what linux distribution are you using for proxy?? i remember that i
had similar problem with tproxy (not tplink specific) on centos and
fedora.

is there a specific reason for the " 2>&1" in the tproxy mark?
does port 5128 is the port for tproxy?

are there any other routing tables on the machine?

have you tried to connect a machine directly to the squidbox switch
and use it as a default gateway?

Eliezer




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux