On 31/10/2013 7:38 a.m., WorkingMan wrote:
I hope I can refocus this question to the real problem.
I am currently have a working VPN setup but once I add my policy routing
rules it breaks the client's port 80 connection (everything else still good,
apps still work. I don't any traffic going to my SQUID server.
First of all I don't use cache. I read
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
but it says "Please realize that this just gets the packets to the cache;
you have to then configure interception on the cache itself to redirect
traffic to the Squid TCP port!". Do I have to do that if I don't use
cache (it didn't say what to do)?
"cache" is still used in a lot of places to mean "proxy". This was one
of them.
(I've updated the config wording now.)
Steps taken:
#policy routing kernel requirement - OK
#grep CONFIG_IP_ADVANCED_ROUTER /boot/config-$(uname -r)
#grep CONFIG_IP_MULTIPLE_TABLES /boot/config-$(uname -r)
#CONFIG_IP_ROUTE_FWMARK is deprecated in option but enabled by default
#they say rp_filer can mess up policy routing so disabled it - OK
/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
#executed following with my own IPs and table names - breaks connection
iptables -t mangle -A PREROUTING -p tcp --dport 80 -s $SQUID -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth0 -p tcp --dport 80 -j ACCEPT
echo "201 http" >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table http
ip route add default via $SQUID table http
ip route table list http (OK):
default via $SQUID dev eth0
ip route (OK):
default via 10.0.0.1 dev eth0
10.0.0.0/24 dev eth0 proto kernel scope link src $VPN
route -n (OK):
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
ip rule (OK):
0: from all lookup local
219: from all fwmark 0x2 lookup http
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
The short summary is that once I add
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2
VPN client's http traffic is broken. I am not able to determine where
the traffic is lost/dropped/redirected to (nothing showing on SQUID server).
Some questions that might lead you in a useful direction for solving this:
* is eth0 the right interface to be operating with?
does VPN have an interface of its own with better results?
is there something special you have to add on top of all this to make
it work over a VPN connection?
(all the testing done so far has been on regular ethernet and wireless
connections).
* when the packets go from client to Squid to Internet they are still
labeled by TPROXY as having come from the client IP. What path do they
take back to the client?
is Squid box with its TPROXY logics on that return path?
Amos
