On 30.05.2012 01:49, Thomas York wrote:
Is any more information needed?
-- Thomas York
-----Original Message-----
From: Thomas York
Sent: Friday, May 25, 2012 1:37 PM
I forgot one detail. I have an iptables rule BEFORE the PREROUTING
divert/tproxy iptables rules on the router. I added an accept so that
HTTP
traffic from the proxy doesn't get tagged and rerouted to the proxy.
Here's the rule set I have for the firewall
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -s 10.0.1.1 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark
0x1/0x1 --on-port 3129
With Squid listening on localhost port 3129 to receive the packets sent
to 0.0.0.0:3129 and [::]:3129 ?
When the router is a different box to the Squid you should do all this
with plain old routing and marking/tagging (no TPROXY) on the router.
-----Original Message-----
From: Thomas York
Sent: Friday, May 25, 2012 1:32 PM
No. The router has three interfaces. One goes to the internet and has
a
default route. I am running NAT on this interface so that the
firewall,
proxy
and clients can reach the internet. The second is a single /24
network
(10.0.1.0/24) that has only the proxy and the firewall on it. The
third is a
single /24 (10.1.1.0/24) that has a single Windows 7 client on it for
generating HTTP requests and testing. I'm tagging the packets on the
firewall
and running them through a separate routing table, which sends the
packets
to
the proxy (without NAT-ing). The proxy and the firewall see the
routed
packets
perfectly fine. I'm not doing any kind of iptables rules on the
proxy,
however.
This is the problem. TPROXY rules are iptables rules supposed to be on
the proxy machine *only*. Outside that proxy box all packets have client
and Internet destination IP addresses and get routed.
NIC flow in/out or MAC address is best to identify which stage of the
flow the packets are at and how to tag/handle them in the routers. It
may require several tags at the router; for packets direct from client
or Internet, and packets already been via Squid/proxy box.
OR just routing based on NIC received...
ie, Router config logic:
if in NIC (from client) tag for routing and send to Squid box as
gateway
if in NIC (from Internet) tag for routing and send to Squid box as
gateway
if in NIC (from Squid) handle as if Squid did not exist: send to
normal IP destination on packet
Amos
