Search squid archive

Re: transparent proxy on remote box issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Some questions that might lead you in a useful direction for solving this:
> * is eth0 the right interface to be operating with?
>    does VPN have an interface of its own with better results?
>    is there something special you have to add on top of all this to make 
> it work over a VPN connection?
> (all the testing done so far has been on regular ethernet and wireless 
> connections).
> 
> * when the packets go from client to Squid to Internet they are still 
> labeled by TPROXY as having come from the client IP. What path do they 
> take back to the client?
>     is Squid box with its TPROXY logics on that return path?
> 
> Amos
> 
> 


I think I am in a worse shape than you think. port 80 traffic is not going to 
SQUID at all. I don't see it in the access.log anyways.

on SQUID I use these from SQUID wiki:

export WAN=eth0
SQUIDIP=$(ifconfig eth0 | grep inet | awk '{ print $2 }' | cut -f 2 -d ":")
SQUIDPORT=3130

iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

on VPN I use these (from wiki and maybe some from elsewhere):

export SQUID=<SQUID IP>
export SQUID_PORT=3130

iptables -t mangle -A PREROUTING -p tcp --dport 80 -s $SQUID -j ACCEPT
iptables -t mangle -A PREROUTING -i $WAN  -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
iptables -t filter -A FORWARD -i $WAN -o $WAN -p tcp --dport 80 -j ACCEPT

#do the rt_tables change once
echo 202 http >> /etc/iproute2/rt_tables

#remove old rules
ip rule del fwmark 2 table http
ip route del default via $SQUID dev eth0 table http

//add new rules
ip rule add fwmark 2 table http
ip route add default via $SQUID dev eth0 table http
ip route flush cache

iptables-save


Does the above affect local traffic on VPN server as well? On VPN server 
I can query web site without issue. But VPN client can't. I don't 
understand where the traffic is getting dropped. tshark catches nothing, 
nothing in SQUID logs. Is the above configuration correct for what I want to do?

I did add a secondary network interface to my VPN server but I don't 
see how it will help. I did try to use eth1 to route marked traffic but it 
didn't work.

Thanks,
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux