On 28/05/2013 8:11 p.m., Amm wrote:
________________________________
From: alvarogp <alvarix.gp@xxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Sent: Tuesday, 28 May 2013 1:28 PM
Subject: Re: TPROXY
alvarogp wrote
Hello,
I have the next configuration:
- Ubuntu 12.04 with 2 interfaces eth0 (local) and eth1 (internet access)
- IPtables 1.4.12
- Squid 3.3.4 with Tproxy
With Iptables I have configured the proxy to forward the traffic from the
local LAN (eth0) to the outside world (eth1). The configuration is:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED
-j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
To configure and install Tproxy I have followed the tutorial described in
the wiki:
./configure --enable-linux-netfilter
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
For squid.conf, I have maintained the configuration my default adding to
it:
http_port 3128
http_port 3129 tproxy
If Squid is running, the packets from the local LAN are routed correctly
and the web pages are showed perfectly. The problem I have is that this
accesses are not reflected in the access.log and cache.log, so could be
possible that squid is not caching any cacheable content?
I have had exact same problem when I was trying TPROXY with similar
configuration.
Squid would route packets but not LOG anything in access log.
If I stop squid then clients cant access any website. (this indicates that
packets are indeed routing through squid).
access.log would indicate that none of them are actually making it to
the Squid process.
Perhapse the Ubuntu kernel version has a bug which makes the packets
work when *some* process it listening on the required port, but the
packets actually not getting there.
Or perhapse TCP packets are sending the HTTP reuqest through Squid and
Squid relaying it but the response not going back to Squid (direct back
to client). In that event Squid would wait for some time (read/write
timeouts are 15 minutes long) before logging the failed HTTP
transaction. That could be caused by some bad configuration on a router
outside of the Squid machine.
Amos
