[squid-users] Re: transparent proxy on remote box issue

> Some questions that might lead you in a useful direction for solving this:
> * is eth0 the right interface to be operating with?
> does VPN have an interface of its own with better results?
> is there something special you have to add on top of all this to make
> it work over a VPN connection?
> (all the testing done so far has been on regular ethernet and wireless
> connections).
>
> * when the packets go from client to Squid to Internet they are still
> labeled by TPROXY as having come from the client IP. What path do they
> take back to the client?
> is Squid box with its TPROXY logics on that return path?
>
> Amos
>
>

I think I am in a worse shape than you think. port 80 traffic is not going to
SQUID at all. I don't see it in the access.log anyways.

on SQUID I use these from SQUID wiki:

export WAN=eth0
SQUIDIP=$(ifconfig eth0 | grep inet | awk '{ print $2 }' | cut -f 2 -d ":")
SQUIDPORT=3130

iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

on VPN I use these (from wiki and maybe some from elsewhere):

export SQUID=<SQUID IP>
export SQUID_PORT=3130

iptables -t mangle -A PREROUTING -p tcp --dport 80 -s $SQUID -j ACCEPT
iptables -t mangle -A PREROUTING -i $WAN -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
iptables -t filter -A FORWARD -i $WAN -o $WAN -p tcp --dport 80 -j ACCEPT

#do the rt_tables change once
echo 202 http >> /etc/iproute2/rt_tables

#remove old rules
ip rule del fwmark 2 table http
ip route del default via $SQUID dev eth0 table http

//add new rules
ip rule add fwmark 2 table http
ip route add default via $SQUID dev eth0 table http
ip route flush cache

iptables-save

Does the above affect local traffic on VPN server as well? On VPN server
I can query web site without issue. But VPN client can't. I don't
understand where the traffic is getting dropped. tshark catches nothing,
nothing in SQUID logs. Is the above configuration correct for what I want to do?

I did add a secondary network interface to my VPN server but I don't
see how it will help. I did try to use eth1 to route marked traffic but it
didn't work.

Thanks,
Received on Thu Oct 31 2013 - 07:59:20 MDT