On 22/02/2013 5:07 p.m., Roman Gelfand wrote:
On Thu, Feb 21, 2013 at 6:10 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 22/02/2013 11:03 a.m., Roman Gelfand wrote:
Please, find below the network topology, squid.conf and rc.local
configuration files. It appears that the squid is not routing the
http requests. I am not sure what I am doing wrong here
Please note, the same squid.conf works on transparent proxy (non
tproxy), for the exception of tproxy keyword and service changes.
Thanks in advance,
WAN
||
||
wccp/gre tunnel ||
squid==============================Fortigate FW/RT Int ip 1 192.168.8.1
3.3 || Int ip 2 192.168.11.1
ip: 192.168.8.21 || Ext ip XX.XX.XXX.24
||
||
WLAN Router Int. ip
192.168.11.32 Ext. ip 192.168.7.1
||
||
||
Client Workstation 192.168.7.110
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# GRE Tunnel :
echo "Loading modules.."
modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre
LOCALIP="192.168.8.21"
FORTIDIRIP="192.168.8.1"
FORTIIPID="XX.XX.XXX.254"
echo "changing routing and reverse path stuff.."
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
What about rp_filter on eth0 where the traffic is actually exiting the Squid
box?
Could you elaborate on this..
What rp_filter does is prevent packets from local software using that
interface from using IP addresses that do not belong to that box.
The purpose of TPROXY being to spoof the _clients_ IP address on
outgoing trafffic. Which does not leave the machine on lo, but through
eth0 or some other interface.
Amos
