Search squid archive

Re: Not routing from tproxy to internet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/02/2013 1:02 a.m., Paris Charalampou wrote:

Hi,

I have the following problem while trying to setup a squid in tproxy
mode for a centralized solution. Our topology is:

client -> R1 -> squid -> R1 -> Internet

Note that server uses a public ip address which is the same for incoming
and outgoing connections
Note that TPROXY hides the Squid server from both client and Internet servers. So its IP is irrelevant here. Case in point is that its receiving IP is 127.0.0.1 in your configuration (how could clients or servers send/receive traffic directly to another machines 127.0.0.1?). 


I am using squid 3.2.6 [tried3.2.7 without luck] in Debian Wheezy with
linux kernel 3.2 and iptables 1.4.14

Squid.conf
--
workers 1
debug_options ALL,4

client_db off

http_port 80 tproxy
80 is not a good port for this. Make is something random and firewall REJECT all external traffic to that port in the mangle table. That will prevent some traffic loops caused by external routing, and several types of malicious attacks. 


http_port 8080
icp_port  0


iptables
---
iptables -t mangle -F
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -i lo -j ACCEPT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -s <server_ip_address> -j ACCEPT
iptables -t mangle -A PREROUTING -i lo -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-ip 127.0.0.1 --on-port 80


Do I have to use WCCP on the router standing between theproxy andthe
internet??


No. WCCP is separate to TPROXY. Why do you ask? is it involved elsewhere?


  I cannot route the packets from the proxy tothe edge router
while I can see incoming http packets from the clients. All incoming
connection timeout while waiting for the reply from destination server
Why not? route all packets normally on the Squid box as if it were a simple relay. The TPROXY rules above are the only abnormal part.
PS. take care that rp_filter and similar filtering limitations are permitting the Squid box to emit packets from external machines IPs. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux