[squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 16.04.1)

Jens Offenbach wolle5050 at gmx.de
Wed Oct 26 06:42:00 UTC 2016 

Hi,
I am trying to setup a transparent proxy with Squid 3.5.12 on Ubuntu Server 16.04.1, but I cannot get it working. When a client tries to connect to the web, the connection always times out.

Hopefully, someone has an idea what's going.

uname-r:
4.4.0-45-generic

sysct:
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

squid.conf:
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
  acl localnet    src 139.2.0.0/16
  acl localnet    src 193.96.112.0/21
  acl localnet    src 192.109.216.0/24
  acl localnet    src 100.1.4.0/22
  acl localnet    src 10.0.0.0/8
  acl localnet    src 172.16.0.0/12
  acl localnet    src 192.168.0.0/16
  acl to_localnet dst 139.2.0.0/16
  acl to_localnet dst 193.96.112.0/21
  acl to_localnet dst 192.109.216.0/24
  acl to_localnet dst 100.1.4.0/22
  acl to_localnet dst 10.0.0.0/8
  acl to_localnet dst 172.16.0.0/12
  acl to_localnet dst 192.168.0.0/16

  http_access allow manager localhost
  http_access deny  manager
  http_access allow localnet
  http_access allow localhost
  http_access allow to_localnet
  http_access deny all

# NETWORK OPTIONS
# -----------------------------------------------------------------------------
  http_port 10.30.200.99:3128
  http_port 10.30.216.254:3128
  http_port 10.30.216.254:3129 tproxy

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
  cache_peer proxy.mycompany.com parent 8080 0 no-query no-digest default
  cache_peer  roxy.mycompany.com parent 8080 0 no-query no-digest

# MEMORY CACHE OPTIONS
# -----------------------------------------------------------------------------
  maximum_object_size_in_memory 8 MB
  memory_replacement_policy heap LFUDA
  cache_mem 256 MB

# DISK CACHE OPTIONS
# -----------------------------------------------------------------------------
  maximum_object_size 10 GB
  cache_replacement_policy heap GDSF
  cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240

# LOGFILE OPTIONS
# -----------------------------------------------------------------------------
  access_log daemon:/var/log/squid/access.log squid
  cache_store_log daemon:/var/log/squid/store.log

# OPTIONS FOR TROUBLESHOOTING
# -----------------------------------------------------------------------------
  cache_log /var/log/squid/cache.log
  coredump_dir /var/log/squid
  
# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
  cache allow all
  
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
  visible_hostname my-proxy.mycompany.com

# ICP OPTIONS
# -----------------------------------------------------------------------------
  icp_port 0

# OPTIONS INFLUENCING REQUEST FORWARDING 
# -----------------------------------------------------------------------------
  always_direct allow to_localnet
  always_direct allow to_localhost
  never_direct  allow all

# DNS OPTIONS
# -----------------------------------------------------------------------------
  dns_nameservers 192.168.0.1
  dns_nameservers 192.168.0.2

# MISCELLANEOUS
# -----------------------------------------------------------------------------
  memory_pools off

iptables-rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 --on-ip 10.30.216.254

I can see that packets are traversing the chain DIVERT and TPROXY (packet counter):
Chain DIVERT (1 references)
 pkts bytes target     prot opt in     out     source               destination
1134K  416M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK set 0x1
1134K  416M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PREROUTING (policy ACCEPT 2380 packets, 261K bytes)
 pkts bytes target     prot opt in     out     source               destination
1253K  455M neutron-openvswi-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1134K  416M DIVERT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            socket
 2125  119K LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 LOG flags 0 level 4 prefix "TPROXY : "
   63  3780 TPROXY     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 TPROXY redirect 10.30.216.254:3129 mark 0x1/0x1

The client request is present in my syslog:
Oct 26 08:38:49 os-controller01 kernel: [ 4590.987956] TPROXY : IN=eth2 OUT= MAC=00:50:56:8d:2f:d4:02:05:69:02:be:68:08:00 SRC=10.30.216.132 DST=74.125.24.94 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=21615 DF PROTO=TCP SPT=47706 DPT=80 WINDOW=27200 RES=0x00 SYN URGP=0

There is nothing in squid logs.

I have no idea. Has someone any hints what is wrong with my setup.

Regards,
Jens

More information about the squid-users mailing list