On 30/06/2013 7:37 p.m., z fazli wrote:
When you type "hostname" on the command line of that server what shows up?
localhost.localdomain
I am using virtual machine , and it is network setting is in bridge
mode. squid transparent mode works with this hostname.
1) how you are testing it... you MUST test it by being a client which
is intercpeted. Send your requests to port 80, *do not* send requests
directly to the Squid listening port.
for testing , in proxy setting of firefax , set http_proxy to
10.1.110.83 and port 3129
when I set port to 80 , brows pages without error but log file do not
change , seems squid not doing anything.
When you configure firefox with por 3129 (TPROXY port). The packet
destination IP:port is 10.1.110.83:3129. Squid receiving these packets
accepts the request and relays it to 10.1.110.83:3129 ... Squid on
receiving these packets accepts the request and sends it to .. HALT.
forwarding loop error.
See the problem?
You must test with firefox going directly to the test website on its
port 80. If your routing and TPROXY rules are not even capturing your
test traffic properly they are not going to work for any of your real
clients traffic either.
2. the packet routing and TPROXY rules .... ensure that only traffic
*from* the clients or *from* the Internet is being intercepted.
Packets leaving Squid in either direction MUST NOT be intercepted back
into your Squid
I used these rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
That looks okay for the iptables rules sending packets to Squid oncethey
enter the machine. However there are routing, forwarding, RP filter, and
maybe bridge (ebtables) rules as well for passing the packets around
between machines.
Amos
