[Bridge] Running squid+tproxy+bridge-nf

Sumit Pandya Thu, 20 Mar 2003 08:40:06 -0800

Hi All,

I've following setup described in ASCII diagram.

IP 192.168.1.2(br0)

IP 192.168.1.10 +----------------------+ IP 192.168.1.1

+----------+ |Linux bridge+NF | +------------------+Internet(203.88.x.x)

| Win 98 | ------------| +KernelCTTProxy |--------------| Linux NAT |--------------------------

+----------+ | + SquidDevel | +------------------+

g/w 192.168.1.1 +-----------------------+ g/w 203.88.x.y

g/w 192.168.1.1

Squid development - is a HTTP proxy server which sends client ip in http requests (http://devel.squid-cache.org/hno/patches/squid-2.1.PATCH1.tproxy.patch).

my iptables rule is

# iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to 3128

or else,

# iptables -t tproxy -I PREROUTING -p tcp --dport 80 -j TPROXY --on-port 3128

But i cannot acess www services from win98 machine.

I'm pasting you output of tcpdump taken on console.

--------------------------------------------------------------------------------------------------------------------------

20:21:35.502001 eth0 P 192.168.1.10.1776 > 217.196.165.5.www: S 51670:51670(0) win 8192 <mss 1460> (DF) [tos 0x10]
20:21:35.503524 eth0 > 217.196.165.5.www > 192.168.1.10.1776: S 1874540393:1874540393(0) ack 51671 win 5840 <mss 1460> (DF)
20:21:35.503675 eth0 P 192.168.1.10.1776 > 217.196.165.5.www: . 1:1(0) ack 1 win 8760 (DF) [tos 0x10]
20:21:35.505532 eth0 P 192.168.1.10.1776 > 217.196.165.5.www: P 1:481(480) ack 1 win 8760 (DF) [tos 0x10]
20:21:35.506514 eth0 > 217.196.165.5.www > 192.168.1.10.1776: . 1:1(0) ack 481 win 6432 (DF)
1047394295 kernel: setup_nat, bidir lesz, proto=6, ctinfo=2
20:21:40.367032 br0 > 192.168.1.1.2622 > 217.196.165.5.www: S 1882259056:1882259056(0) win 5840 <mss 1460> (DF)
kernel: setup_nat, bidir lesz, proto=6, ctinfo=2
kernel: IP_TPROXY: ip_tproxy_setup_nat(): already inited! adding nat entry hooknum=4 61cb09c0:3d0a -> cbcb09c0:3e0a
20:21:43.358441 br0 > 192.168.1.1.2622 > 217.196.165.5.www: S 1882259056:1882259056(0) win 5840 <mss 1460> (DF)
kernel: setup_nat, bidir lesz, proto=6, ctinfo=2
kernel: IP_TPROXY: ip_tproxy_setup_nat(): already inited! adding nat entry hooknum=4 61cb09c0:3d0a -> cbcb09c0:3e0a
20:21:49.358449 br0 > 192.168.1.1.2622 > 217.196.165.5.www: S 1882259056:1882259056(0) win 5840 <mss 1460> (DF)
kernel: setup_nat, bidir lesz, proto=6, ctinfo=2
kernel: IP_TPROXY: ip_tproxy_setup_nat(): already inited! adding nat entry hooknum=4 61cb09c0:3d0a -> cbcb09c0:3e0a --------------------------------------------------------------------------------------------------------------------------

Above dump contains some strange kernel messages on console too. and wby br0 see packet going from 192.168.1.1 to 217.196.165.5 (bold lines). Let me clear that these packets seen on br0 only if I insert iptable_tproxy and ipt_TPROXY module and then after enable any of Transperent redirection rule.

Is it possible to run this kind of setup?

Also I can run this solution of sending client IP without having bridging interface enabled. Just like following one more ASCII

IP 192.168.1.2(eth0)
+----------------------+                              IP 192.168.1.1
|Linux bridge+NF      |                                +-----------------+Internet(203.88.x.x)
| +KernelCTTProxy   |----------+----------|   Linux NAT      |--------------------------
| + SquidDevel          |               |                +-----------------+
+----------------------+               |                 g/w 203.88.x.y
g/w 192.168.1.1                         |            (route add -host 192.168.1.10 via 192.168.1.2)
                                                    |

IP 192.168.1.10 |

+----------+ |

| Win 98 | ----------------------+

+----------+

g/w 192.168.1.1

Win98 browser contains proxy setting (192.168.1.2 port 3128)

Any Advice? Is there any bug with REDIRECT to local process, because my process also get source ip-address 192.168.1.1.

Thankx,

--Sumit

[Bridge] Running squid+tproxy+bridge-nf

Reply via email to