Re: [squid-users] Problem setting up transparent caching using TProxy and Squid

From: Ali Majdzadeh <ali.majdzadeh_at_gmail.com>
Date: Sat, 13 Aug 2011 06:21:16 +0430

Eliezer
Hi
Thanks for your email, and sorry if I couldn't properly describe the
case. Yes, I need an intercepting transparent proxy in which all
clients use their own IP address in order to surf the web while the
proxy server is kept transparent to them.
I am using Debian Lenny. Here are some details about the platform:

Kernel: 2.6.38.3 (NF_CONNTRACK=m, NETFILTER_TPROXY=m,
NETFILTER_XT_MATCH_SOCKET=m, NETFILTER_XT_TARGET_TPROXY=m)
iptables: 1.4.10
Squid: 3.1.12.1 (--enable-linux-netfilter)

I have configured all those firewall rules mentioned by the tutorial:

# iptables -t mangle -N DIVERT
# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# iptables -t mangle -A DIVERT -j MARK --set-mark 1
# iptables -t mangle -A DIVERT -j ACCEPT
# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

Also, I have entered the following two lines in squid.conf:

http_port 3128
http_port 3129 tproxy

The proxy server is a one-NIC machine which is connected to the
Internet via its default gateway.

# ip rule list
0:      from all lookup local
32765:  from all fwmark 0x1 lookup 100
32766:  from all lookup main
32767:  from all lookup default

# ip route list table all
local default dev lo  table 100  scope host
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.17
169.254.0.0/16 dev eth0  scope link  metric 1000
default via 192.168.1.1 dev eth0
local 192.168.1.17 dev eth0  table local  proto kernel  scope host
src 192.168.1.17
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope
link  src 127.0.0.1
broadcast 192.168.1.0 dev eth0  table local  proto kernel  scope link
src 192.168.1.17
broadcast 192.168.1.255 dev eth0  table local  proto kernel  scope
link  src 192.168.1.17
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
fe80::/64 dev eth0  proto kernel  metric 256
unreachable default dev lo  table unspec  proto kernel  metric -1
error -101 hoplimit 255
local ::1 via :: dev lo  table local  proto none  metric 0  hoplimit 4294967295
local fe80::208:2ff:fe95:7a77 via :: dev lo  table local  proto none
metric 0  hoplimit 4294967295
ff00::/8 dev eth0  table local  metric 256
unreachable default dev lo  table unspec  proto kernel  metric -1
error -101 hoplimit 255

The problem is that the kernel does not accept the following:

# ip route add local 0.0.0.0/0 dev lo table 100

Thanks again.

Warm Regards,
Ali Majdzadeh Kohbanani

2011/8/13 Eliezer Croitoru <eliezer_at_ec.hadorhabaac.com>
>
> are you sure you need it as a tproxy and not  an INTERCEPTION software?
> give us some info on the os and othe stuff on the system and subnet etc.
>
> On 13/08/2011 00:32, Ali Majdzadeh wrote:
>
> Dear All,
> I have followed these two guides in order to setup transparent caching
> using TProxy and Squid, but without any success.
>
> http://wiki.squid-cache.org/Features/Tproxy4
> http://wiki.squid-cache.org/ConfigExamples/Intercept/CentOsTproxy4?action=show&redirect=ConfigExamples%2FTPROXYPatchingCentOS
>
> Actually, the following command fails:
> # ip route add local 0.0.0.0/0 dev lo table 100
> RTNETLINK answers: File exists
>
> Is there any solution to this? Any suggestions? I have precisely
> followed the guides. It should be noted that I am trying to setup a
> normal scenario where the proxy box is connected to the internet using
> its default gateway and it has only one interface.
>
> Warm Regards,
> Ali Majdzadeh Kohbanani
>
Received on Sat Aug 13 2011 - 01:51:25 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 13 2011 - 12:00:02 MDT