On 7/05/2015 6:09 p.m., Ambadas Hibare wrote: > HI, > > Client IP: 172.16.5.110 > Client Mac: 00:23:7D:E8:AC:C4 > > Squid Box: > > eth0 IP: 172.16.5.102 > eth0 Mac: 18:A9:05:3C:12:E4 > > eth1 IP: 10.0.0.102 > eth1 Mac: 18:A9:05:3C:12:E6 > >> "Your "ip route" rules use eth1, but your rp_filter settings only change eth0. Also your iptables rules do not distinguish by ethN." > > Yes. Should that setting be applied on both eths' or only the one facing the client? The one facing the *server* at minimum. Doing it on both wont hurt for experimenting. But when this is working try setting the client-facing NIC off again. > Also want to know if it's possible to do tproxy setup with just one eth at squid box? Of course. You just have to configure the packet routing explicitly on the router the Squid box is connected to as well as the Squid box itself. To prevent server responses (SYN ACK etc) being sent to the client when they should go to Squid. > >> "Your trace shows the MAC address *:c4 contacting Squid (MAC >> address *:e4) and delivering an HTTP request. Squid (*:e4) then contacts the remote server be sending > a TCP SYN packet ... which the MAC address *:c4 rejects." > > In trace it shows squid (*:e4) (packet# 83) is contacting the web server (google.com) via client IP (172.16.5.110). So it's getting spoofed!? But not able to understand why client is sending RST to google (packet# 84) just after that & response Because one of the SYN (from Squid) or SYN-ACK packet (reply from server) is arriving at the client when it should have been delivered elsewhere. the packets doing this: client -----> Squid -SYN-> server client <-------------ACK-- server client -RST-> Squid or this: client -----> Squid -SYN-\ client <-----------------/ client -RST-> Squid > PS. The default gateway for client is squid box IP (eth1). The part routing traffic from client<->Squid is working. The part Squid<->server is going wrong. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users