<div dir="auto"><div>You will need to transpareny redirect the traffic and not explicitly pointing your browser to squid. Seems that the mentioned firewall rules are correct. You will need a policy route also for the marked traffic.<br><div class="gmail_extra"><br><div class="gmail_quote">On Oct 5, 2017 7:54 PM, "xpro6000" <<a href="mailto:xpro6000@gmail.com">xpro6000@gmail.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm back to square one then, and it looks like there is no way to tell Squid to use the same connecting ip for the outgoing ip, which is what I need.</div><div class="elided-text"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 5, 2017 at 3:49 AM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 05/10/17 15:01, xpro6000 wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm trying to setup tproxy with Squid 3.5 for the purpose of having the same outgoing ip as the connecting ip. (I have thousands of IPs and I can not add them one by one)<br>
<br>
I started with a fresh install of Debian 9, installed Squid by<br>
<br>
apt install squid<br>
<br>
then I added<br>
<br>
http_port 3129 tproxy<br>
<br>
to squid.conf<br>
<br>
I then ran the following commands for iptables<br>
<br>
iptables -t mangle -N DIVERT<br>
iptables -t mangle -A DIVERT -j MARK --set-mark 1<br>
iptables -t mangle -A DIVERT -j ACCEPT<br>
<br>
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT<br>
<br>
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129<br>
<br>
<br>
I can use the proxy with no problems on port 3128, but on Firefox I get a message "The proxy server is refusing connections" when I set the proxy to port 3129. Did I miss any steps or am I doing something wrong?<br>
</blockquote>
<br>
You missed the fact that TPROXY is an MITM operation. You *cannot* setup the browser to use the proxy directly to its tproxy port. You have to route the packets to the proxy machine without any explicit browser or client configuration.<br>
<br>
Only the Squid machine bits (and thus behaviour) are different with TPROXY vs NAT interception.<br>
<br>
...<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
http_access deny !Safe_ports<br>
http_access deny CONNECT !SSL_ports<br>
http_access allow localhost manager<br>
http_access deny manager<br>
http_access allow localhost<br>
http_access allow all<br>
</blockquote>
<br>
Do not do "allow all" like this. Setup the localnet ACL to your LAN range(s) properly and only allow those clients through the proxy.<br>
<br>
Then you can use the recommended default:<br>
http_access deny !Safe_ports<br>
http_access deny CONNECT !SSL_ports<br>
http_access allow localhost<br>
http_access deny manager<br>
http_access allow localnet<br>
http_access deny all<br>
<br>
Amos<br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
</blockquote></div><br></div>
</div><br>______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
<br></blockquote></div><br></div></div></div>