On 2014-07-03 12:01, Nyamul Hassan wrote:
> Hi,
>
> We are trying to run Squid 3.4.6 with TProxy. Earlier we used to run
> Squid 2.7.Stable9 in "transparent" mode with a DNAT rule on the router
> box to redirect traffic. This being our first jibe at Squid3, we have
> successfully configured "intercept" mode with the router doing a
> policy-based routing (instead of DNAT). All works quite well!
>
> However, when we try to do a TProxy configuration, Squid does not seem
> to be seeing the traffic at all. Since Squid3 is working in
> "intercept" we assume that is not the problem. IPTables is configured
> as follows:
>
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :DIVERT - [0:0]
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "TProxy: "
> -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1
> --on-port 3129
> -A DIVERT -j MARK --set-mark 1
> -A DIVERT -j ACCEPT
> COMMIT
>
> The Log option shows similar lines as follows (our IP omitted below):
> Jul 3 05:15:24 proxy01 kernel: TProxy: IN=eth0 OUT=
> MAC=00:22:4d:a7:9a:8c:00:15:17:c8:a0:39:08:00 SRC=<test>
> DST=195.93.85.193 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=25176 DF
> PROTO=TCP SPT=3264 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
>
> We also tried both with and without the "IP" commands:
>
> ip rule add fwmark 1 lookup 100
> ip route add local default dev eth0 table 100
>
> We have searched through Google, mailing lists, Squid Docs, but seems
> like we are still missing through something. One thing though, a lot
> of the TProxy examples accompany WCCP or Bridge. Are either of them
> mandatory in TProxy setup? If not, could someone help us where we are
> doing things wrong?
WCCP and Bridge are optional.
Since your policy routing is working and the syslog shows iptables
working it seems like the traffic should at least be arriving at Squid.
I suggest these steps for troubleshooting:
1) Double-check the "Troubleshooting" section entries on the TPROXY wiki
page to see if you have missed anything simple (like #3 below).
2) run Squid with debug level 11,2 to see what IP:port are being used on
traffic arriving and leaving Squid. This can help confirm the TCP
connections in syslog are correct, and tells you what to look for in #3
below.
3) check the routing rules on traffic once it leaves Squid (using the
serve connection details found in #2). The router often needs additional
policy routing rules for TPROXY to ensure it does not create a loop.
Amos
Received on Thu Jul 03 2014 - 00:30:09 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 03 2014 - 12:00:05 MDT