On 15/12/2013 4:58 a.m., Matthew Goff wrote: > Hi Amos, > > First, sorry for the double post -- my email seemed to be having > issues yesterday. > > As to my issue: What steps can I do to try and validate that this is > Squid or not? When I remove the following iptables entry and bypass > Squid I can capture tcpdump traffic on the proxy machine and see no > TCP reassemblies. Leaving the rules in place and passing traffic > through Squid begins to show TCP reassemblies again and my application > no longer works. > > -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 > --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 > -A DIVERT -j MARK --set-xmark 0x1/0xffffffff > The order of those rules is extremely sensitive. The DIVERT (which handles both from-Squid and from-server packets) is required before the TPROXY (which catches packets into Squid). > I've been using my setup for a few years without issue and have never > had an application fail to work prior to this. However when the > application fails when routing traffic through Squid yet works when I > bypass Squid, I'm not sure what else to blame or where else to look. What do you mean by re-assemblies exactly... * fragmented packets being assembled is required when there is a service reading those packets as I/O. Optional for a router simply passing them on? * packets ACK not being received from server and re-sent by Squid machine TCP stack? * packets being received from client multiple times? Amos
