[squid-users] tproxy and transparent interception fails on squid-2.6stable4 ? from zulkarnain on 2006-11-02 (squid-users)

From: zulkarnain <sizulku@dont-contact.us>
Date: Thu, 2 Nov 2006 04:13:56 -0800 (PST)

Hi all,

I just implement transparent proxy on linux box
consist of;

Fedora Core 4
Kernel 2.6.15
iptables 1.3.5
cttproxy-2.6.15
squid-2.6STABLE4

The kernel and iptables has been patched with the
tproxy patches. This patches should be work since I
saw iptable_tproxy and ipt_tproxy is loaded on kernel.
After squid is start, none can browse the website and
I found many Invalid Request (clientReadRequest &
TCP_DENIED) on both access.log and cache.log.

I just wondering does tproxy and transparent proxying
work in 2.6STABLE4?? If so, is there a special setting
or something I need to set? Any help would be great.

Thanks,
Zul

Note: This configuration below is my config.

---squid compile
./configure \
   --enable-epoll \
   --enable-snmp \
   --enable-removal-policies="heap,lru" \
   --enable-storeio="aufs,coss,diskd,null,ufs" \
   --enable-linux-netfilter \
   --enable-linux-tproxy \
   --with-pthreads \
   --enable-cachemgr-hostname=localhost \
   --enable-underscores \
   --enable-fd-config \
   --with-maxfd=16384 \
   --enable-err-languages=English \

---squid.conf
http_port 3128 tproxy transparent

acl john src 192.168.1.2/255.255.255.255
acl mary src 192.168.1.3/255.255.255.255

http_access allow john
http_access allow mary
http_access deny all

http_reply_access allow all
icp_access allow all
miss_access allow all

cache_effective_user squid
cache_effective_group squid

tcp_outgoing_address 192.168.1.2 john
tcp_outgoing_address 192.168.1.3 mary

---kernel parameters
rp_filter is disabled
ip_forwarding is enabled
iptable_tproxy and ipt_tproxy is loaded

---iptables rule
iptables -t tproxy -A PREROUTING -i eth1 -p tcp -m tcp
--dport 80 -j TPROXY --on-port 3128

---cache.log
2006/11/01 01:05:36| clientReadRequest: FD 15
(192.168.1.2:2327) Invalid Request
2006/11/01 01:05:36| clientReadRequest: FD 15
(192.168.1.2:2328) Invalid Request
2006/11/01 01:05:37| clientReadRequest: FD 15
(192.168.1.3:24163) Invalid Request
2006/11/01 01:05:42| clientReadRequest: FD 15
(192.168.1.3:24164) Invalid Request

---access.log
1162317936.603 0 192.168.1.2 TCP_DENIED/400 2512
GET error:invalid-request - NONE/- text/html
1162317936.767 0 192.168.1.2 TCP_DENIED/400 2436
POST error:invalid-request - NONE/- text/html
1162317937.452 0 192.168.1.3 TCP_DENIED/400 1875
GET error:invalid-request - NONE/- text/html
1162317942.598 0 192.168.1.3 TCP_DENIED/400 1875
GET error:invalid-request - NONE/- text/html

____________________________________________________________________________________
Low, Low, Low Rates! Check out Yahoo! Messenger's cheap PC-to-Phone call rates
(http://voice.yahoo.com)
Received on Thu Nov 02 2006 - 05:14:04 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:02 MST