[squid-users] Unable to get TPROXY working with squid

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 3 03:27:01 UTC 2015

On 3/03/2015 6:41 a.m., Carvaka Guru wrote:
> On Thu, Feb 26, 2015 at 8:30 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>> On 27/02/2015 12:41 p.m., Carvaka Guru wrote:
>>> I am building a simple linux firewall router with eth1 LAN port and eth0
>>> WAN port. I have squid3 running on it that I have built with netfilter
>>> enabled. The linux version running on the firewall is debian wheezy which
>>> has iptables with TPROXY and socket support.
>>> By setting up the iptables to send traffic to squid3 using the original
>> nat
>>> prerouting REDIRECT method everything works fine but I can't get the
>>> method to work. I followed all the steps outlined in
>>> http://wiki.squid-cache.org/Features/Tproxy4
>> Uhm... no. You ran a *completely* different command line.
> Errr ... I didn't mention what command line I ran, just that I tried to
> follow the instructions from the link, so I don't understand why you would
> say that I ran a completely different command line??

You said:
as soon as I issue the following two routing commands -

 ip rule add fwmark 1 lookup 100
 ip route add local dev lo table 100

the tutorial uses two commands for IPv4 and IPv6 routing and indicates
an ethN interface.

>>> but no traffic gets to squid3.
>>> In fact all HTTP traffic goes into some hole as soon as I issue the
>>> following two routing commands -
>>> ip rule add fwmark 1 lookup 100
>>> ip route add local dev lo table 100
>>> Without these two commands the HTTP traffic goes through but never gets
>>> routed to squid3.
>>> I think the "ip route" command is the culprit but I don't know why or how
>>> to change it?
>> That is explained in the "/!\" notes directly following the example
>> configuration you "followed".
>> It even has a whole section "Some routing problems to be aware of" just
>> to repeat the message about this problem and what to do about it.
>> <http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration>
> I had already gone through these sections (which have very scarce info as
> it is) and tried to understand the caveats but since you explicitly pointed
> it out as something to look into, I thought I'd go through it again and try
> a few more things but nothing really panned out.
> I admit that I am a noob to this so I am probably missing something
> elemental but one thing I am certain of is that I need to change the "ip
> route add local" command to something that will work for my setup. Not sure
> what that would be because I tried various combinations of parameters for
> this command and the result is the same, i.e. I lose web-connectivity as
> soon as I issue the command.
> Perhaps someone will humor me and explain what the "ip route add local"
> command is exactly suppose to achieve in the context of TPROXY then perhaps
> I may be able to morph it to fit my setup.

It is the type of route being created. One for traffic within the local
machine as opposed to other types like unicast (Internet) multicast,
boradcast, or blackholes.

The tuneable parameters of those rules AFAIK are:
 the table ID number - which should be unique for the TPROXY usage, and
 the device name - which should be either "lo" or the eth* physical NIC
the traffic arrives on (not an alias) depending on your OS security
setup, and
 the IP-range you want captured - normally everything and the DIVERT
iptables chain takes care of exceptions.


More information about the squid-users mailing list