[squid-users] Squid tproxy net unreachable

Amos Jeffries squid3 at treenet.co.nz
Sun May 14 12:16:23 UTC 2017


On 14/05/17 01:59, Abi Askushi wrote:
> Hi,
>
> I have setup squid (v 3.1.20) with tproxy and relevant iptables and 
> policy routes. It is functioning ok except one thing, squid is not 
> able to redirect to deny page (located on same device) and it gives 
> error "101 network unreachable". I have squidguard in the setup as a 
> helper program and squidguard is doing the redirection to a page on 
> localhost. With squid in intercept mode this redirection to deny page 
> is ok. I have also disabled rpfilter in kernel. I may provide more 
> details on configs if needed.
>
> Did anyone encounter this? Any ideas?
>

It is not possible to use a global IP address (eg the spoofed client IP) 
to connect to any machines lo (localhost) interface.

So Squid is not able to perform TPROXY spoofing to fetch the page your 
SG is *re-writing* (not redirecting) the URL to. If you actually are 
redirecting then the client cannot connect to the web server running in 
*its* localhost interface.


PS. please upgrade, no up to date OS releases I'm aware of still ship 
Squid-3.1.

Amos



More information about the squid-users mailing list