On Sat, 20 Aug 2011, Ritter, Nicholas wrote:
> What kernel/iptables/distro are you using?
>
> I am getting this exact same problem and I copied the iptables rules
> from my working TPROXY/SQUID setup and the only difference was the
> kernel and iptables version.
>
> I think there is some TPROXY breakage somewhere in the later kernels,
I have a very similar setup and I have no problems.
athena ~ # equery l squid iptables
* Searching for squid ...
[IP-] [ ] net-proxy/squid-3.1.8:0
* Searching for iptables ...
[IP-] [ ] net-firewall/iptables-1.4.11.1-r2:0
athena ~ # uname -a
Linux athena 2.6.36-hardened-r9 blah blah blah
I don't know if that qualifies as a "later kernel" or not.
Those firewall rules seem overly complex, try it without fwmark:
# No masq of HTTP traffic, must go via proxy
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 80,8000,8008,8080,8088,8800,8880,8888 -j REDIRECT --to-port 3129
> -----Original Message-----
> From: User User [mailto:netwotkstudent_at_yahoo.com]
> Sent: Saturday, August 20, 2011 10:16 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Tproxy time
>
> Hi,
> I have a linux box which I installed Squid. I used steps from wiki links
> (http://wiki.squid-cache.org/Features/Tproxy4) to compile kernel ,
> iptables ,...
> The box working normal on 3128 when I set manual proxy on client , but
> for tproxy tranparnet mode I am getting timeout on client after some
> minutes.
> I am routing traffic from client to this box and try to catch the but
> iptables (tproxy).I am seeing requests on access log too.
>
>
> http_port 3128
> http_port 3129 tproxy
>
> ip rule add fwmark 1 lookup 100
> ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t
> mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING
> -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp
> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>
> thanks for your help.
>
>
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhardin_at_impsec.org FALaholic #11174 pgpk -a jhardin_at_impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- ...much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs. -- Bruce Schneier ----------------------------------------------------------------------- 4 days until the 1932nd anniversary of the destruction of PompeiiReceived on Sat Aug 20 2011 - 17:04:27 MDT
This archive was generated by hypermail 2.2.0 : Sun Aug 21 2011 - 12:00:02 MDT