<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head><body style="">
<div>
Hi,
</div>
<div>
first of all what error do you get at client side? Timeout? Blank Page?
</div>
<div>
I'm also running squid in an ISG setup, my squid version is Squid Cache: Version 3.1.10 on Centos 6.5
</div>
<div>
Few things to check:
</div>
<div>
1) please ensure the iptables-rules are hit correctly by issuing .f.e:
</div>
<div>
iptables -t mangle -vnL
</div>
<div>
</div>
<div>
2)if you see packets please make sure you do not have a redirect-loop, run squid in debug mode or enable logging.
</div>
<div>
an example error can be found here:
</div>
<div>
http://www.squid-cache.org/mail-archive/squid-users/201004/0538.html
</div>
<div>
</div>
<div>
3) it's enough to configure port redirection once, you can do it with iptables on the squid box (as you did below) or directly at the ISG, if you have defined a server Pool it will look like that (probably ;))
</div>
<div>
redirect server-group REDIRECT_SERVERS
<br /> server ip xx.xx.xx.xx port 80
</div>
<div>
for iptables-redirect
</div>
<div>
or
</div>
<div>
server ip xx.xx.xx.xx port 3129
</div>
<div>
for isg redirect
</div>
<div>
</div>
<div>
4) All problems I had with that setup basically were router configuration errors. If L4 redirect does not work did you try next-hop rerouting without altering the ports?
</div>
<div>
In a Cisco ISG setup make sure the squid box uses the ISG for the return traffic and can't reach the clients directly, also make sure you are capturing the right traffic and not blocking the return packets ect.
</div>
<div>
</div>
<div>
HTH,
</div>
<div>
Alex
</div>
<div>
</div>
<div>
</div>
<blockquote style="position: relative; margin-left: 0px; padding-left: 10px; border-left: solid 1px blue;" type="cite">
Jaydeep Kubavat <jaykbvt@gmail.com> hat am 8. April 2015 um 13:50 geschrieben:
<br />
<br />
<div dir="ltr">
Hi,
<div>
</div>
<div>
As suggested by Amos...I've configured squid box with bellow mentioned config.
</div>
<div>
</div>
<div>
I followed this doc
<a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat">http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat</a>
</div>
<div>
</div>
<div>
1. Configured iptables as:
</div>
<div>
</div>
<div>
<div>
Table: filter
</div>
<div>
Chain INPUT (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
</div>
<div>
Chain FORWARD (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
</div>
<div>
Chain OUTPUT (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
</div>
<div>
Table: mangle
</div>
<div>
Chain PREROUTING (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
1 DROP tcp --
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:3129
</div>
<div>
</div>
<div>
Chain INPUT (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
</div>
<div>
Chain FORWARD (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
</div>
<div>
Chain OUTPUT (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
</div>
<div>
Chain POSTROUTING (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
</div>
<div>
Table: nat
</div>
<div>
Chain PREROUTING (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
1 ACCEPT tcp -- 10.58.200.33
<a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80
</div>
<div>
2 DNAT tcp --
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80 to:
<a href="http://10.58.200.33:3129">10.58.200.33:3129</a>
</div>
<div>
</div>
<div>
Chain POSTROUTING (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
1 MASQUERADE all --
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
<a href="http://0.0.0.0/0">0.0.0.0/0</a>
</div>
<div>
</div>
<div>
Chain OUTPUT (policy ACCEPT)
</div>
<div>
num target prot opt source destination
</div>
<div>
</div>
</div>
<div>
</div>
<div>
2. squid with http_port 3129 intercept
</div>
<div>
</div>
<div>
3. PCAP result
</div>
<div>
</div>
<div>
<div>
"3","1.539609","10.210.83.247","10.58.200.33","TCP","68","28754→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1"
</div>
<div>
</div>
<div>
"4","1.539680","10.58.200.33","10.210.83.247","TCP","68","80→28754 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=64"
</div>
<div>
</div>
<div>
"19","2.717863","10.58.200.33","10.210.83.247","TCP","68","[TCP Retransmission] 80→28754 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=64"
</div>
<div>
</div>
<div>
"31","7.613768","10.210.83.247","10.58.200.33","TCP","64","[TCP Spurious Retransmission] 28754→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1360 SACK_PERM=1"
</div>
<div>
</div>
<div>
"32","7.613835","10.58.200.33","10.210.83.247","TCP","68","[TCP Retransmission] 80→28754 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=64"
</div>
<div>
</div>
<div>
"43","8.917825","10.58.200.33","10.210.83.247","TCP","68","[TCP Retransmission] 80→28754 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=64"
</div>
<div>
</div>
<div>
"167","20.917840","10.58.200.33","10.210.83.247","TCP","68","[TCP Retransmission] 80→28754 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=64"
</div>
<div>
</div>
<div>
"485","44.917837","10.58.200.33","10.210.83.247","TCP","68","[TCP Retransmission] 80→28754 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=64"
</div>
<div>
</div>
<div>
"962","93.117870","10.58.200.33","10.210.83.247","TCP","68","[TCP Retransmission] 80→28754 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=64"
</div>
</div>
<div>
</div>
<div>
<span style="color: #888888;">-- </span>
<br style="color: #888888;" />
<div style="color: #888888;">
Thanks & Regards
<br />Jaykbvt
</div>
</div>
<div class="gmail_extra">
<br />
<div class="gmail_quote">
On Wed, Apr 8, 2015 at 2:50 PM, Jaydeep Kubavat
<span><<a target="_blank" href="mailto:jaykbvt@gmail.com">jaykbvt@gmail.com</a>></span> wrote:
<br />
<blockquote style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: #cccccc; border-left-style: solid; padding-left: 1ex;">
<div dir="ltr">
Hi,
<div>
</div>
<div>
I've configured a transparent squid proxy on a centos 6.6 with single NIC.
</div>
<div>
<br clear="all" />
<div>
There is Cisco ISG in between with L4 redirection on www traffic.
</div>
<div>
</div>
<div>
The requests are coming on port 80 from client and ISG forwards that to port 80 on my squid server.
</div>
<div>
</div>
<div>
So there is no iptables configured on squid server.
</div>
<div>
</div>
<div>
Client requests are not reaching upto my squid instance.
</div>
<div>
</div>
<div>
I'm getting the following in pcap on squid box.
</div>
<div>
</div>
<div>
=========================
</div>
<div>
<div>
</div>
<div>
"129","79.114808","10.210.83.246","10.58.200.33","TCP","76","39546→80 [SYN] Seq=0 Win=14600 Len=0 MSS=1360 SACK_PERM=1 TSval=2686675 TSecr=0 WS=64"
</div>
<div>
</div>
<div>
"130","79.114946","10.58.200.33","10.210.83.246","TCP","76","80→39546 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=509402603 TSecr=2686675 WS=64"
</div>
<div>
</div>
<div>
"145","82.115674","10.210.83.246","10.58.200.33","TCP","76","[TCP Spurious Retransmission] 39546→80 [SYN] Seq=0 Win=14600 Len=0 MSS=1360 SACK_PERM=1 TSval=2686976 TSecr=0 WS=64"
</div>
<div>
</div>
<div>
"146","82.115748","10.58.200.33","10.210.83.246","TCP","76","[TCP Retransmission] 80→39546 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=509405604 TSecr=2686675 WS=64"
</div>
<div>
</div>
<div>
"151","83.113859","10.58.200.33","10.210.83.246","TCP","76","[TCP Retransmission] 80→39546 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=509406603 TSecr=2686675 WS=64"
</div>
<div>
</div>
<div>
"165","88.145376","10.210.83.246","10.58.200.33","TCP","76","[TCP Spurious Retransmission] 39546→80 [SYN] Seq=0 Win=14600 Len=0 MSS=1360 SACK_PERM=1 TSval=2687578 TSecr=0 WS=64"
</div>
<div>
</div>
<div>
"166","88.145450","10.58.200.33","10.210.83.246","TCP","76","[TCP Retransmission] 80→39546 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=509411634 TSecr=2686675 WS=64"
</div>
<div>
</div>
<div>
"176","89.113837","10.58.200.33","10.210.83.246","TCP","76","[TCP Retransmission] 80→39546 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=509412603 TSecr=2686675 WS=64"
</div>
<div>
</div>
<div>
"285","101.113833","10.58.200.33","10.210.83.246","TCP","76","[TCP Retransmission] 80→39546 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=509424603 TSecr=2686675 WS=64"
</div>
<div>
</div>
</div>
<div>
=========================
</div>
<div>
</div>
<div>
my squid is configured default, only
</div>
<div>
</div>
<div>
http_port 3130
</div>
<div>
http_port 80 intercept
</div>
<div>
</div>
<div>
are changed.
</div>
<div>
</div>
<div>
</div>
<div>
</div>
<span><span><span style="color: #888888;">-- <br /></span></span></span>
<div>
Thanks & Regards
<br />Jaykbvt
</div>
</div>
</div>
</blockquote>
</div>
<br />
<br clear="all" />
<div>
</div> --
<br />
<div class="gmail_signature">
Thanks & Regards
<br />Jaykbvt
</div>
</div>
</div> _______________________________________________
<br />squid-users mailing list
<br />squid-users@lists.squid-cache.org
<br />http://lists.squid-cache.org/listinfo/squid-users
</blockquote>
<div>
<br />
</div>
</body></html>