Eliezer Croitoru <eliezer <at> ngtech.co.il> writes:
>
> Just to make sure I understood:
> How many boxes do you have?
> what is VPN and what is SQUID?
> You do understand that there is no way to run TPROXY on amaozn safely??
> So leave TPROXY out of sight for now.
>
> If you have two machines it's another story.
> if you do have one machine then what is the:
> "ip route"
> "iptables-save"
> and
> "ip addr"
> output for this machine?
>
> Eliezer
>
I am not using TPROXY. VPN/SQUID are two different servers.
SQUID: 10.0.0.117
VPN: 10.0.0.170
VPN client: 10.100.0.1
DNS: 10.0.0.2
Gatewat: 10.0.0.1
VPN info first:
ip route:
default via 10.0.0.1 dev eth0
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.170
ip route list table http
default via 10.0.0.117 dev eth0
iptable-save:
*mangle
:PREROUTING ACCEPT [1385:266526]
:INPUT ACCEPT [836:121765]
:FORWARD ACCEPT [615:148937]
:OUTPUT ACCEPT [740:231496]
:POSTROUTING ACCEPT [1355:380433]
-A PREROUTING -s 10.0.0.117/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j MARK --set-xmark
0x2/0xffffffff
-A PREROUTING -m mark --mark 0x2 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j MARK --set-xmark
0x2/0xffffffff
COMMIT
# Completed on Fri Nov 1 08:22:59 2013
# Generated by iptables-save v1.4.18 on Fri Nov 1 08:22:59 2013
*nat
:PREROUTING ACCEPT [71:8268]
:INPUT ACCEPT [11:4446]
:OUTPUT ACCEPT [36:5443]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 1 08:22:59 2013
# Generated by iptables-save v1.4.18 on Fri Nov 1 08:22:59 2013
*filter
:INPUT ACCEPT [219:29744]
:FORWARD ACCEPT [18:8250]
:OUTPUT ACCEPT [244:50280]
-A FORWARD -i eth0 -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
ip addr (VPN):
COMMIT1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 0a:a5:82:f8:2e:93 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.170/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::8a5:82ff:fef8:2e93/64 scope link
valid_lft forever preferred_lft forever
on SQUID:
ip addr:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 0a:3c:e1:08:45:b7 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.117/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::83c:e1ff:fe08:45b7/64 scope link
valid_lft forever preferred_lft forever
ip route
default via 10.0.0.1 dev eth0
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.117
iptables-save:
*mangle
:PREROUTING ACCEPT [24165:28648452]
:INPUT ACCEPT [24165:28648452]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11299:2165314]
:POSTROUTING ACCEPT [11299:2165314]
-A PREROUTING -p tcp -m tcp --dport 3130 -j DROP
COMMIT
# Completed on Fri Nov 1 08:26:29 2013
# Generated by iptables-save v1.4.18 on Fri Nov 1 08:26:29 2013
*filter
:INPUT ACCEPT [24165:28648452]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11308:2166378]
COMMIT
# Completed on Fri Nov 1 08:26:29 2013
# Generated by iptables-save v1.4.18 on Fri Nov 1 08:26:29 2013
*nat
:PREROUTING ACCEPT [19:936]
:INPUT ACCEPT [52:2560]
:OUTPUT ACCEPT [102:24387]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -s 10.0.0.117/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3130
-A POSTROUTING -j MASQUERADE
COMMIT
Thanks,
