Hi list.. A already hav posted my problem in the list before, but i'll try to put more detail after alot of research. My problem is, i have a squidbox working as a tproxy, all work fine except some clients that have wireless router (tplink and another brand) sharing their connection. my topology is internet <----> squidbox (bridge) <----> mikrotik (pppoe-server) <-----> clients squidbox under debian lenny 5.0, kernel version 3.3.4, iptables 1.4.13, ebtables 2.0.10-4, squid 3.1 squidbox is the gateway but i have tested without too. in tcpdump i can see that connection from the problematic client dies after syn/ack like above: 06:17:49.782874 IP 177.x.x.182.41375 > 177.43.198.34.80: S 2780380743:2780380743(0) win 8192 <mss 1440,nop,nop,sackOK> 06:17:49.782898 IP 177.43.198.34.80 > 177.x.x.182.41375: S 4043086738:4043086738(0) ack 2780380744 win 14600 <mss 1460,nop,nop,sackOK> 06:17:50.815675 IP 177.x.x.182.41372 > 74.125.234.73.80: S 3452097232:3452097232(0) win 8192 <mss 1440,nop,wscale 2,nop,nop,sackOK> 06:17:50.815690 IP 74.125.234.73.80 > 177.x.x.182.41372: S 3646761972:3646761972(0) ack 3452097233 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7> 06:17:50.929351 IP 177.43.198.34.80 > 177.x.x.182.41375: S 4043086738:4043086738(0) ack 2780380744 win 14600 <mss 1460,nop,nop,sackOK> 06:17:51.085337 arp who-has 177.x.x.182 tell 177.x.x.11 06:17:51.086195 arp reply 177.x.x.182 is-at 00:27:19:d4:b4:27 06:17:51.329317 IP 74.125.234.73.80 > 177.x.x.182.41372: S 3646761972:3646761972(0) ack 3452097233 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7> 06:17:52.776117 IP 177.x.x.182.41375 > 177.43.198.34.80: S 2780380743:2780380743(0) win 8192 <mss 1440,nop,nop,sackOK> 06:17:52.776130 IP 177.43.198.34.80 > 177.x.x.182.41375: S 4043086738:4043086738(0) ack 2780380744 win 14600 <mss 1460,nop,nop,sackOK> 06:17:52.929358 IP 177.43.198.34.80 > 177.x.x.182.41375: S 4043086738:4043086738(0) ack 2780380744 win 14600 <mss 1460,nop,nop,sackOK> 177.x.x.182 is client IP 177.x.x.11 is squidbox IP my config is: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 /sbin/iptables -v -t mangle -N DIVERT /sbin/iptables -v -t mangle -A DIVERT -j MARK --set-mark 1 /sbin/iptables -v -t mangle -A DIVERT -j ACCEPT /sbin/iptables -v -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 5128 /usr/local/sbin/ebtables -t broute -A BROUTING -i eth4 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP /usr/local/sbin/ebtables -t broute -A BROUTING -i eth3 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i echo 0> /proc/sys/net/ipv4/conf/lo/rp_filter echo 0> /proc/sys/net/ipv4/conf/all/rp_filter echo 1> /proc/sys/net/ipv4/ip_forward hope someone help.. dont know how to track where syn/ack is dying or getting drop
