[squid-users] Unable to get TPROXY working with squid
Carvaka Guru
carvakaguru at gmail.com
Mon Mar 2 17:41:46 UTC 2015
On Thu, Feb 26, 2015 at 8:30 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 27/02/2015 12:41 p.m., Carvaka Guru wrote:
> > I am building a simple linux firewall router with eth1 LAN port and eth0
> > WAN port. I have squid3 running on it that I have built with netfilter
> > enabled. The linux version running on the firewall is debian wheezy which
> > has iptables with TPROXY and socket support.
> >
> > By setting up the iptables to send traffic to squid3 using the original
> nat
> > prerouting REDIRECT method everything works fine but I can't get the
> TPROXY
> > method to work. I followed all the steps outlined in
> > http://wiki.squid-cache.org/Features/Tproxy4
>
> Uhm... no. You ran a *completely* different command line.
>
>
Errr ... I didn't mention what command line I ran, just that I tried to
follow the instructions from the link, so I don't understand why you would
say that I ran a completely different command line??
>
> > but no traffic gets to squid3.
> > In fact all HTTP traffic goes into some hole as soon as I issue the
> > following two routing commands -
> >
> > ip rule add fwmark 1 lookup 100
> > ip route add local 0.0.0.0/0 dev lo table 100
> >
> > Without these two commands the HTTP traffic goes through but never gets
> > routed to squid3.
> >
> > I think the "ip route" command is the culprit but I don't know why or how
> > to change it?
>
> That is explained in the "/!\" notes directly following the example
> configuration you "followed".
>
> It even has a whole section "Some routing problems to be aware of" just
> to repeat the message about this problem and what to do about it.
>
> <http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration>
>
>
I had already gone through these sections (which have very scarce info as
it is) and tried to understand the caveats but since you explicitly pointed
it out as something to look into, I thought I'd go through it again and try
a few more things but nothing really panned out.
I admit that I am a noob to this so I am probably missing something
elemental but one thing I am certain of is that I need to change the "ip
route add local" command to something that will work for my setup. Not sure
what that would be because I tried various combinations of parameters for
this command and the result is the same, i.e. I lose web-connectivity as
soon as I issue the command.
Perhaps someone will humor me and explain what the "ip route add local"
command is exactly suppose to achieve in the context of TPROXY then perhaps
I may be able to morph it to fit my setup.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150302/4dcc78fa/attachment.html>
More information about the squid-users
mailing list