RE: [squid-users] Tproxy time

From: John Hardin <jhardin_at_impsec.org>
Date: Sat, 20 Aug 2011 10:04:23 -0700 (PDT)

On Sat, 20 Aug 2011, Ritter, Nicholas wrote:

> What kernel/iptables/distro are you using?
>
> I am getting this exact same problem and I copied the iptables rules
> from my working TPROXY/SQUID setup and the only difference was the
> kernel and iptables version.
>
> I think there is some TPROXY breakage somewhere in the later kernels,

I have a very similar setup and I have no problems.

   athena ~ # equery l squid iptables
    * Searching for squid ...
   [IP-] [ ] net-proxy/squid-3.1.8:0
    * Searching for iptables ...
   [IP-] [ ] net-firewall/iptables-1.4.11.1-r2:0
   athena ~ # uname -a
   Linux athena 2.6.36-hardened-r9 blah blah blah

I don't know if that qualifies as a "later kernel" or not.

Those firewall rules seem overly complex, try it without fwmark:

   # No masq of HTTP traffic, must go via proxy
   /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 80,8000,8008,8080,8088,8800,8880,8888 -j REDIRECT --to-port 3129

> -----Original Message-----
> From: User User [mailto:netwotkstudent_at_yahoo.com]
> Sent: Saturday, August 20, 2011 10:16 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Tproxy time
>
> Hi,
> I have a linux box which I installed Squid. I used steps from wiki links
> (http://wiki.squid-cache.org/Features/Tproxy4) to compile kernel ,
> iptables ,...
> The box working normal on 3128 when I set manual proxy on client , but
> for tproxy tranparnet mode I am getting timeout on client after some
> minutes.
> I am routing traffic from client to this box and try to catch the but
> iptables (tproxy).I am seeing requests on access log too.
>
>
> http_port 3128
> http_port 3129 tproxy
>
> ip rule add fwmark 1 lookup 100
> ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t
> mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING
> -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp
> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>
> thanks for your help.
>
>

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin_at_impsec.org    FALaholic #11174     pgpk -a jhardin_at_impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   ...much of our country's counterterrorism security spending is not
   designed to protect us from the terrorists, but instead to protect
   our public officials from criticism when another attack occurs.
                                                     -- Bruce Schneier
-----------------------------------------------------------------------
  4 days until the 1932nd anniversary of the destruction of Pompeii
Received on Sat Aug 20 2011 - 17:04:27 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 21 2011 - 12:00:02 MDT