Re: [squid-users] Transparent Proxy stops working after time

From: E Roberts <eroberts-squid@dont-contact.us>
Date: Thu, 25 Mar 2004 13:16:31 -0500

On Thu, 25 Mar 2004 16:35:24 +0200, Denis Vlasenko
<vda@port.imtp.ilyichevsk.odessa.ua> wrote:

> On Thursday 25 March 2004 08:44, E Roberts wrote:
>> I have come across a strange problem, after what could be days, hours or
>> even 10 minutes my transparent proxy will just stop working. I have
>> tried
>
> tcpdump of this? What _exactly_ is not happening anymore?

Unfortinaly this is on a production server and it allways seams to happen
during the day when I can't take enough time to truly watch and see what's
going on in tcpdump, I get maybe 3 minutes before the calls start rolling
in and have to reboot the unit. I have only been able to make sure that
the server is getting the packets to make sure it had nothing to do with
the user's machine or the wireless interface. Also when I restart
NoCatAuth, the user is still captured for a login, forwared to the billing
server and can auth correctly, once they finnish that and try to use any
websites though the transparent proxy, the requests don't make it to
squid. NoCatAuth gateway and squid are on the same machine. In the
access.log file no requests come in anymore once this happens.

>> to restart squid, flush and reset my firewall rules, restart NoCatAuth,
>> and in the end the only thing that will get this working again is a full
>> reboot.
>
>> The setup I'm using is this:
>>
>> Slackware linux
>> kernel 2.4.20
>
> There are bugs in 2.4.20 iptables. Upgrade to latest and retest.

Are you saying bugs in the 2.4.20 'kernel' or in 1.2.8 'iptables'? Kinda
got me confused on that line of what part to upgrade, it would be a real
pain to do a full kernel re-compile and might have better luck if I can
just recompile iptables, or should they both be upgraded together?

>> Squid 2.5.STABLE4
>> iptables v1.2.8
>>
>> My firewall rules seam to be unchanged when this takes effect, here is
>> the
>> part for the transparent proxy:
>>
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> REDIRECT tcp -- 192.168.0.0/16 <ip removed> MARK match
>> 0x4
>> tcp dpt:http redir ports 8080
>> REDIRECT tcp -- 192.168.0.0/16 anywhere MARK match
>> 0x3
>> tcp dpt:http redir ports 8080
>> REDIRECT tcp -- 192.168.0.0/16 anywhere MARK match
>> 0x2
>> tcp dpt:http redir ports 8080
>> REDIRECT tcp -- 192.168.0.0/16 anywhere MARK match
>> 0x1
>> tcp dpt:http redir ports 8080
>> ACCEPT all -- 10.0.0.0/8 anywhere
>> ACCEPT all -- 1.0.0.0/8 anywhere
>> NoCat_Capture all -- anywhere anywhere
>> DROP tcp -- !localhost anywhere tcp dpt:8080
>>
>> What is strange is that the sibling proxys are still able to use this as
>> their parent, and if you connect to port 8080 directly it will work (of
>> course this is with out the above DROP being in the rules).
>>
>> I figure this might be an IPtables issue but hope to see if anyone has
>> had
>> this issue or could point me in the correct location.
>>
>> Regards
> --
> vda
>
>
Received on Thu Mar 25 2004 - 11:16:21 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:03 MST