[squid-users] Squid tproxy net unreachable
Amos Jeffries
squid3 at treenet.co.nz
Sun May 14 12:16:23 UTC 2017
On 14/05/17 01:59, Abi Askushi wrote:
> Hi,
>
> I have setup squid (v 3.1.20) with tproxy and relevant iptables and
> policy routes. It is functioning ok except one thing, squid is not
> able to redirect to deny page (located on same device) and it gives
> error "101 network unreachable". I have squidguard in the setup as a
> helper program and squidguard is doing the redirection to a page on
> localhost. With squid in intercept mode this redirection to deny page
> is ok. I have also disabled rpfilter in kernel. I may provide more
> details on configs if needed.
>
> Did anyone encounter this? Any ideas?
>
It is not possible to use a global IP address (eg the spoofed client IP)
to connect to any machines lo (localhost) interface.
So Squid is not able to perform TPROXY spoofing to fetch the page your
SG is *re-writing* (not redirecting) the URL to. If you actually are
redirecting then the client cannot connect to the web server running in
*its* localhost interface.
PS. please upgrade, no up to date OS releases I'm aware of still ship
Squid-3.1.
Amos
More information about the squid-users
mailing list