Search squid archive

Re: Re: transparent proxy on remote box issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 31/10/2013 7:38 a.m., WorkingMan wrote:
I hope I can refocus this question to the real problem.

I am currently have a working VPN setup but once I add my policy routing
rules it breaks the client's port 80 connection (everything else still good,
apps still work. I don't any traffic going to my SQUID server.

First of all I don't use cache. I read
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
but it says "Please realize that this just gets the packets to the cache;
you have to then configure interception on the cache itself to redirect
traffic to the Squid TCP port!". Do I have to do that if I don't use
cache (it didn't say what to do)?

"cache" is still used in a lot of places to mean "proxy". This was one of them.
(I've updated the config wording now.)


Steps taken:

#policy routing kernel requirement - OK
#grep CONFIG_IP_ADVANCED_ROUTER /boot/config-$(uname -r)
#grep CONFIG_IP_MULTIPLE_TABLES /boot/config-$(uname -r)
#CONFIG_IP_ROUTE_FWMARK is deprecated in option but enabled by default

#they say rp_filer can mess up policy routing so disabled it - OK
/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

#executed following with my own IPs and table names - breaks connection

iptables -t mangle -A PREROUTING -p tcp --dport 80 -s $SQUID -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth0 -p tcp --dport 80 -j ACCEPT
echo "201   http" >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table http
ip route add default via $SQUID table http

ip route table list http (OK):

default via $SQUID dev eth0

ip route (OK):

default via 10.0.0.1 dev eth0
10.0.0.0/24 dev eth0  proto kernel  scope link  src $VPN

route -n (OK):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0

ip rule (OK):

0:      from all lookup local
219:    from all fwmark 0x2 lookup http
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default

The short summary is that once I add

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2

VPN client's http traffic is broken. I am not able to determine where
the traffic is lost/dropped/redirected to (nothing showing on SQUID server).


Some questions that might lead you in a useful direction for solving this:
* is eth0 the right interface to be operating with?
  does VPN have an interface of its own with better results?
is there something special you have to add on top of all this to make it work over a VPN connection? (all the testing done so far has been on regular ethernet and wireless connections).

* when the packets go from client to Squid to Internet they are still labeled by TPROXY as having come from the client IP. What path do they take back to the client?
   is Squid box with its TPROXY logics on that return path?

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux