Search squid archive

Re: TPROXY does not redirect to squid port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Simple question to Peter,

 Have you made certain that squid  in the squid configuration file
( /etc/squid/squid.conf) is listening on port 80 ( the destination port
in your iptables rules)

and have you checked tcpwrappers , or selinux?

I see youve posted your iptables rules , but i dont see your squid.conf.

Also make sure that if you HAVE the configuration for squid to listen on
port 80 . that you dont have apache or sometiong else listening on port
80 at same time on the same server.

I've had a lot of people try to do wpad implementations and they
inevitable set apache and squid to listen on same port and same address.
 
-M



----Original Message-----T
o: squid-users@xxxxxxxxxxxxxxx

Date: Tue, 28 Jan 2014 10:04:26 +1300

On 2014-01-28 06:18, Peter Warasin wrote:
> hi guys
> 
> 
> I configured a transparent proxy environment using TPROXY following the
> howto on the squid wiki http://wiki.squid-cache.org/Features/Tproxy4
> I setup a tproxy port in squid on port 18080 and created the following
> iptables rule:
> 
> -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port 18080 --tproxy-mark
> 0x1/0x1
> 
> But squid does never see packets coming in.
> 
> So I tried with the following tool:
> https://github.com/kristrev/tproxy-example
> The same, packets are not seen.
> 
> By chance I tried to redirect to port 80 instead of 18080, in order 
> that
> redirection does not happen at all, and then packets were seen by the
> tproxy-example tool.
> 
> Seems that redirection is not working correctly or not at all.
> 
> 
> I proved with iptables logging rules that routing is correct, because
> packets are coming in the INPUT chain instead of FORWARD and are marked
> as they should be.

Good.
  Are there any rules in there that would prevent port 18080 packets 
being accepted?

> 
> Also I see the following debug output when compiled the tproxy iptables
> modules with -DDEBUG:
> 
> xt_TPROXY: redirecting: proto 6 194.232.104.141:80 ->
> 192.168.11.15:18080, mark: 1
> 
> which I would say means redirection actually *is* taking place, or
> perhaps debug messages are only correct while redirection is not (?).
> 
> I tried with both, squid 3.2.1 and 3.3.8 and with kernels 2.6.32 and
> 3.2.54 and combinations. Always the same result.

Kernel 2.6.32 is older than the minimum version (*.37). The older 2.6 
have some TPROXY commits, but have bugs such as ICMP packets about 
TPROXY connection issues not being handled by the kernel properly which 
result in these strange packet disappearances).

I have also been seeing some posts about regressions and memory leaks in 
the netfilter mailing lists these last few months. I'm not sure if those 
issues made it to the stable kernels, but would be late 3.10+ versions 
if so.


> 
> Does anyone have some hints where I could look at in order to solve 
> this?

My first port of call would be the packet forwarding settings of the 
kernel and later iptables rules. Since TPROXY does not alter the packet 
IPs they have "non-local" values when passing through all the normal 
kernel forwarding permit/deny checks between the "mangle" table and the 
Squid process socket.

I think RP filter is only affecting the outgoing traffic, but that could 
be worth checking as well.

Amos





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux