I forgot one detail. I have an iptables rule BEFORE the PREROUTING divert/tproxy iptables rules on the router. I added an accept so that HTTP traffic from the proxy doesn't get tagged and rerouted to the proxy. Here's the rule set I have for the firewall iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -s 10.0.1.1 -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 -- Thomas York -----Original Message----- From: Thomas York [mailto:straterra@xxxxxxxxxx] Sent: Friday, May 25, 2012 1:32 PM To: 'Giles Coochey'; squid-users@xxxxxxxxxxxxxxx Subject: RE: Linux + TPROXY + Remote Squid No. The router has three interfaces. One goes to the internet and has a default route. I am running NAT on this interface so that the firewall, proxy and clients can reach the internet. The second is a single /24 network (10.0.1.0/24) that has only the proxy and the firewall on it. The third is a single /24 (10.1.1.0/24) that has a single Windows 7 client on it for generating HTTP requests and testing. I'm tagging the packets on the firewall and running them through a separate routing table, which sends the packets to the proxy (without NAT-ing). The proxy and the firewall see the routed packets perfectly fine. I'm not doing any kind of iptables rules on the proxy, however. -----Original Message----- From: Giles Coochey [mailto:giles@xxxxxxxxxxx] Sent: Friday, May 25, 2012 11:12 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Linux + TPROXY + Remote Squid On 25/05/2012 15:35, Thomas York wrote: > I have a lab environment set up using two Debian Wheezy servers (Squeeze > doesn't have a new enough kernel or iptables to do TPROXY properly). One of > the servers is a router and the other is a proxy server. There are several > clients connected to the router to simulate a production routing > environment. If I have both the TPROXY redirection and Squid on the same > server, Squid handles the requests and everything works perfectly. However, > this isn't how I want the proxy to be configured in our production > environment. I've changed my iptables rules on the router to redirect all > tagged 1 packets to the proxy server. This is working perfectly fine and I > can see the data being routed to the proxy server using tcpdump on both the > router and the proxy. However, Squid on the proxy server doesn't seem to > 'see' the data being routed and doesn't do anything with it. I have > "http_port 3129 tproxy" set on the proxy server. Is there anything special I > need to do using iptables on the proxy server? > > Both servers are running kernel 3.2.0-2-amd64 and iptables 1.4.13 from > Wheezy and the Squid being used on the proxy is 3.1.19. If any more > information is needed, please just let me know and I'd be happy to supply > it. Thanks. > > --Thomas York Are you Source-NAT'ing the redirect from the Router?
<<attachment: smime.p7s>>
