On Thu, Feb 26, 2015 at 8:30 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 27/02/2015 12:41 p.m., Carvaka Guru wrote:
> I am building a simple linux firewall router with eth1 LAN port and eth0
> WAN port. I have squid3 running on it that I have built with netfilter
> enabled. The linux version running on the firewall is debian wheezy which
> has iptables with TPROXY and socket support.
>
> By setting up the iptables to send traffic to squid3 using the original nat
> prerouting REDIRECT method everything works fine but I can't get the TPROXY
> method to work. I followed all the steps outlined in
> http://wiki.squid-cache.org/Features/Tproxy4
Uhm... no. You ran a *completely* different command line.
Errr ... I didn't mention what command line I ran, just that I tried to follow the instructions from the link, so I don't understand why you would say that I ran a completely different command line??
> but no traffic gets to squid3.
> In fact all HTTP traffic goes into some hole as soon as I issue the
> following two routing commands -
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> Without these two commands the HTTP traffic goes through but never gets
> routed to squid3.
>
> I think the "ip route" command is the culprit but I don't know why or how
> to change it?
That is explained in the "/!\" notes directly following the example
configuration you "followed".
It even has a whole section "Some routing problems to be aware of" just
to repeat the message about this problem and what to do about it.
<http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration>
I had already gone through these sections (which have very scarce info as it is) and tried to understand the caveats but since you explicitly pointed it out as something to look into, I thought I'd go through it again and try a few more things but nothing really panned out.
I admit that I am a noob to this so I am probably missing something elemental but one thing I am certain of is that I need to change the "ip route add local" command to something that will work for my setup. Not sure what that would be because I tried various combinations of parameters for this command and the result is the same, i.e. I lose web-connectivity as soon as I issue the command.
Perhaps someone will humor me and explain what the "ip route add local" command is exactly suppose to achieve in the context of TPROXY then perhaps I may be able to morph it to fit my setup.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
