Re: [squid-users] transparent proxy in squid3

[pplive]

Dear Amos,

Finally I have solved the problem!

The thing is, when I redirect the http.alt packet from the switch, I
need to modify the dst mac address as the mac address of the squid3
machine.

After doing this, a simple command works as follows:

yeung@nodec1:/var/log/squid3$ sudo iptables -t nat -A PREROUTING -p
tcp --dport 8080 -j REDIRECT --to-port 3128

THanks a lot for your strong help!

Best,
Alex


On Mon, Mar 5, 2012 at 10:30 PM, pplive p2pne...@googlemail.com wrote:
 Dear Amos,

 Thanks for your great hint of tcpdump gets packets before any of the
 iptables etc handling gets done to them and  We have to rely on
 ebtables/iptables LOG functionality for those bits

 Now I start debugging iptables, using
 sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j LOG
 --log-prefix TEST: 

 from node-s (sender), we run [node-s (sender), 10.0.1.1, node-r,
 10.0.2.1 (receiver), the squid3 machine is 10.0.3.1]

 wget 10.0.2.1:8080

 while we still see
 19:20:09.439059 IP nodes-links.40520  noder-linkr.http-alt: Flags
 [S], seq 4014254024, win 5840, options [mss 1460,sackOK,TS val
 68449700 ecr 0,nop,wscale 6],
 in tcpdump, we see nothing in the iptables log

 in contrast, if we run 'wget 10.0.3.1:8080' (directly connect to 8080
 port of squid3 machine, although there is no service)
 we see information in both tcpdump
 19:26:51.347175 IP nodes-links.41022  nodec1-tblink-l9.http-alt:
 Flags [S], seq 1779139991, win 5840, options [mss 1460,sackOK,TS val
 68550176 ecr 0,nop,wscale 6], length 0
 19:26:51.347287 IP nodec1-tblink-l9.http-alt  nodes-links.41022:
 Flags [R.], seq 0, ack 1779139992, win 0, length 0
 
 and iptables log
 
 Mar  5 19:24:09 nodec1 kernel: [28094.303462] TEST: IN=eth0 OUT=
 MAC=00:04:23:ae:cc:38:00:0e:0c:68:a8:58:08:00 SRC=10.0.1.1
 DST=10.0.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62692 DF PROTO=TCP
 SPT=41021 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0
 Mar  5 19:24:09 nodec1 kernel: [28094.303495] TEST: IN=eth0 OUT=
 MAC=00:04:23:ae:cc:38:00:0e:0c:68:a8:58:08:00 SRC=10.0.1.1
 DST=10.0.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62692 DF PROTO=TCP
 SPT=41021 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0
 

 Can we conclude the error was happened due to
 sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j LOG
 --log-prefix TEST: 
 cannot pick up the 8080 packet forwarded by the switch? Can some
 packet loss happen before this step?

 I am sorry I am not very familiar with the linux kernel/system...and
 bother you so much trouble...

 Thanks a lo!

 On Mon, Mar 5, 2012 at 5:57 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 06.03.2012 11:09, pplive wrote:

 Dear Amos,

 To see whether there were some internal firewall in my system , I
 tried a simpler topology, i.e.,

 Client (10.0.0.1) (eth0) - (eth0) Squid3 (eth1) - (eth0) Server
 (10.0.0.2)

 I just follow the setting in


 http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables

 brctl addbr br0
 brctl addif br0 eth0
 brctl addif br0 eth1

 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
 --ip-destination-port 8080 -j redirect --redirect-target ACCEPT


 ACCEPT on the layer-2 bridging is to handle the packet entirely at that
 low layer.

 It needs to be DROPed out of the bridging layer into to iptables layer
 handling before NAT can change the IP/port and routing can shift it to INPUT
 path where Squid gets it.




 iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT
 --to-port 3128

 According to tcpdump, we can see the packets are forwarded to port 3128
 (I use wget 10.0.0.2:8080 at the client)

 14:04:50.282381 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
 388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr
 0,nop,wscale 6], length 0
 14:04:53.212426 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
 388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr
 0,nop,wscale 6], length 0

 Still, I am confusing of using one NIC, how can I redirect the packets
 to port 3128.


 NAT is a special system which can change packets on both bridging and
 routing layers but does not itself make them change layer.

  So what the above trace shows is that packets arriving are NAT/NAPT changed
 as they flow through the bridge. But not anything else.


 tcpdump gets packets before any of the iptables etc handling gets done to
 them. So its useful to verify that the packets are arriving and/or leaving
 the NIC as expected. but not much help deciphering what is happening to them
 in the middle around where Squid sits.
  We have to rely on ebtables/iptables LOG functionality for those bits.


 I'm sorry I can't be of much more help. Beyond suggesting to try later
 versions of the software including kernel I've run out of ideas.

 Amos

Re: [squid-users] transparent proxy in squid3

[pplive]

Dear Amos,

I did restart the networking.

When I just to review all iptables settings, from tcpdump we can see

09:35:23.830038 IP nodes-links.37711  noder-linkr.http-alt: Flags
[S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val
59678297 ecr 0,nop,wscale 6], length 0
09:35:26.827763 IP nodes-links.37711  noder-linkr.http-alt: Flags
[S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val
59679047 ecr 0,nop,wscale 6], length 0
09:35:28.828079 ARP, Request who-has noder-linkr tell nodes-links, length 46

I think the nodec1 (my squid3 machine) is even able to start an ARP query.

My OS is Ubuntu, kernel version
yeung@nodec1:/etc/squid3$ uname -r
2.6.32-34-generic-pae

I have checked the rp_filter setting, it has been disabled.

Sorry for causing you trouble.

Best,
Alex


On Mon, Mar 5, 2012 at 4:56 AM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 5/03/2012 4:29 p.m., pplive wrote:

 Dear Amos,


 On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote:

 On 05.03.2012 06:40, pplive wrote:

 Dear Amos,

 Thanks a lot! By looking at your URL, I have enter the following
 commands in my squid3 machine (my HTTP service is at PORT 8080), the
 squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at
 10.0.2.1, HTTP client (nodes) is at 10.0.1.1:

 yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp
 --dport 8080 -j ACCEPT
 yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080
 -j DNAT --to-destination 10.0.3.1:3128
 yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
 yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport
 3128 -j DROP

 snip


 However, the proxy still has some problem, when we start wget from the
 HTTP client
 yeung@nodes:~$ wget 10.0.2.1:8080
 --2012-03-04 09:31:39--  http://10.0.2.1:8080/
 Connecting to 10.0.2.1:8080... ^C


 So far good (modulo the testing with port-8080 factor).


 yeung@nodes:~$

 We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the
 following message:
 09:31:39.384558 IP nodes-links.51902  noder-linkr.http-alt: Flags
 [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
 38022185 ecr 0,nop,wscale 6], length 0
 09:31:42.379034 IP nodes-links.51902  noder-linkr.http-alt: Flags
 [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
 38022935 ecr 0,nop,wscale 6], length 0

 It seems that there were some HTTP-alt traffic coming in from the
 switch, but no HTTP traffic going out of the squid3 machine.

 Is this a dump of all packets involving port 8080? or did you add an IP
 address or interface direction to hide some packets?

 Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages
 as follows (as the squid3 machine is connected to a programmable
 switch):


 Does Squid already have a cached copy of the URL object being used as a
 test?

 There is nothing in access.log


 I'm thinking it is probably something in the kernel security controls then.
 SELinux can block interception because it is an MITM attack on the clients.
 Also rp_filter can block the TCP connections in strange places and show up
 like this. Did you restart the networking on the squid box after changing
 sysctl.conf (/etc/init.d/networking restart)

 Amos

Re: [squid-users] transparent proxy in squid3

[pplive]

Dear Amos,

To see whether there were some internal firewall in my system , I
tried a simpler topology, i.e.,

Client (10.0.0.1) (eth0) - (eth0) Squid3 (eth1) - (eth0) Server (10.0.0.2)

I just follow the setting in
http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 8080 -j redirect --redirect-target ACCEPT

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT
--to-port 3128

According to tcpdump, we can see the packets are forwarded to port 3128
(I use wget 10.0.0.2:8080 at the client)

14:04:50.282381 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr
0,nop,wscale 6], length 0
14:04:53.212426 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr
0,nop,wscale 6], length 0

Still, I am confusing of using one NIC, how can I redirect the packets
to port 3128.

Thanks a lot!

Best regards,
Alex

On Mon, Mar 5, 2012 at 4:19 PM, pplive p2pne...@googlemail.com wrote:
 Dear Amos,

 I did restart the networking.

 When I just to review all iptables settings, from tcpdump we can see

 09:35:23.830038 IP nodes-links.37711  noder-linkr.http-alt: Flags
 [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val
 59678297 ecr 0,nop,wscale 6], length 0
 09:35:26.827763 IP nodes-links.37711  noder-linkr.http-alt: Flags
 [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val
 59679047 ecr 0,nop,wscale 6], length 0
 09:35:28.828079 ARP, Request who-has noder-linkr tell nodes-links, length 46

 I think the nodec1 (my squid3 machine) is even able to start an ARP query.

 My OS is Ubuntu, kernel version
 yeung@nodec1:/etc/squid3$ uname -r
 2.6.32-34-generic-pae

 I have checked the rp_filter setting, it has been disabled.

 Sorry for causing you trouble.

 Best,
 Alex


 On Mon, Mar 5, 2012 at 4:56 AM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 5/03/2012 4:29 p.m., pplive wrote:

 Dear Amos,


 On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote:

 On 05.03.2012 06:40, pplive wrote:

 Dear Amos,

 Thanks a lot! By looking at your URL, I have enter the following
 commands in my squid3 machine (my HTTP service is at PORT 8080), the
 squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at
 10.0.2.1, HTTP client (nodes) is at 10.0.1.1:

 yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp
 --dport 8080 -j ACCEPT
 yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080
 -j DNAT --to-destination 10.0.3.1:3128
 yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
 yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport
 3128 -j DROP

 snip


 However, the proxy still has some problem, when we start wget from the
 HTTP client
 yeung@nodes:~$ wget 10.0.2.1:8080
 --2012-03-04 09:31:39--  http://10.0.2.1:8080/
 Connecting to 10.0.2.1:8080... ^C


 So far good (modulo the testing with port-8080 factor).


 yeung@nodes:~$

 We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the
 following message:
 09:31:39.384558 IP nodes-links.51902  noder-linkr.http-alt: Flags
 [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
 38022185 ecr 0,nop,wscale 6], length 0
 09:31:42.379034 IP nodes-links.51902  noder-linkr.http-alt: Flags
 [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
 38022935 ecr 0,nop,wscale 6], length 0

 It seems that there were some HTTP-alt traffic coming in from the
 switch, but no HTTP traffic going out of the squid3 machine.

 Is this a dump of all packets involving port 8080? or did you add an IP
 address or interface direction to hide some packets?

 Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages
 as follows (as the squid3 machine is connected to a programmable
 switch):


 Does Squid already have a cached copy of the URL object being used as a
 test?

 There is nothing in access.log


 I'm thinking it is probably something in the kernel security controls then.
 SELinux can block interception because it is an MITM attack on the clients.
 Also rp_filter can block the TCP connections in strange places and show up
 like this. Did you restart the networking on the squid box after changing
 sysctl.conf (/etc/init.d/networking restart)

 Amos

Re: [squid-users] transparent proxy in squid3

[pplive]

Dear Amos,

Thanks for your great hint of tcpdump gets packets before any of the
iptables etc handling gets done to them and  We have to rely on
ebtables/iptables LOG functionality for those bits

Now I start debugging iptables, using
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j LOG
--log-prefix TEST: 

from node-s (sender), we run [node-s (sender), 10.0.1.1, node-r,
10.0.2.1 (receiver), the squid3 machine is 10.0.3.1]

wget 10.0.2.1:8080

while we still see
19:20:09.439059 IP nodes-links.40520  noder-linkr.http-alt: Flags
[S], seq 4014254024, win 5840, options [mss 1460,sackOK,TS val
68449700 ecr 0,nop,wscale 6],
in tcpdump, we see nothing in the iptables log

in contrast, if we run 'wget 10.0.3.1:8080' (directly connect to 8080
port of squid3 machine, although there is no service)
we see information in both tcpdump
19:26:51.347175 IP nodes-links.41022  nodec1-tblink-l9.http-alt:
Flags [S], seq 1779139991, win 5840, options [mss 1460,sackOK,TS val
68550176 ecr 0,nop,wscale 6], length 0
19:26:51.347287 IP nodec1-tblink-l9.http-alt  nodes-links.41022:
Flags [R.], seq 0, ack 1779139992, win 0, length 0

and iptables log

Mar  5 19:24:09 nodec1 kernel: [28094.303462] TEST: IN=eth0 OUT=
MAC=00:04:23:ae:cc:38:00:0e:0c:68:a8:58:08:00 SRC=10.0.1.1
DST=10.0.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62692 DF PROTO=TCP
SPT=41021 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0
Mar  5 19:24:09 nodec1 kernel: [28094.303495] TEST: IN=eth0 OUT=
MAC=00:04:23:ae:cc:38:00:0e:0c:68:a8:58:08:00 SRC=10.0.1.1
DST=10.0.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62692 DF PROTO=TCP
SPT=41021 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0


Can we conclude the error was happened due to
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j LOG
--log-prefix TEST: 
cannot pick up the 8080 packet forwarded by the switch? Can some
packet loss happen before this step?

I am sorry I am not very familiar with the linux kernel/system...and
bother you so much trouble...

Thanks a lo!

On Mon, Mar 5, 2012 at 5:57 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 06.03.2012 11:09, pplive wrote:

 Dear Amos,

 To see whether there were some internal firewall in my system , I
 tried a simpler topology, i.e.,

 Client (10.0.0.1) (eth0) - (eth0) Squid3 (eth1) - (eth0) Server
 (10.0.0.2)

 I just follow the setting in


 http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables

 brctl addbr br0
 brctl addif br0 eth0
 brctl addif br0 eth1

 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
 --ip-destination-port 8080 -j redirect --redirect-target ACCEPT


 ACCEPT on the layer-2 bridging is to handle the packet entirely at that
 low layer.

 It needs to be DROPed out of the bridging layer into to iptables layer
 handling before NAT can change the IP/port and routing can shift it to INPUT
 path where Squid gets it.




 iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT
 --to-port 3128

 According to tcpdump, we can see the packets are forwarded to port 3128
 (I use wget 10.0.0.2:8080 at the client)

 14:04:50.282381 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
 388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr
 0,nop,wscale 6], length 0
 14:04:53.212426 IP 10.0.0.1.33088  10.0.0.10.3128: Flags [S], seq
 388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr
 0,nop,wscale 6], length 0

 Still, I am confusing of using one NIC, how can I redirect the packets
 to port 3128.


 NAT is a special system which can change packets on both bridging and
 routing layers but does not itself make them change layer.

  So what the above trace shows is that packets arriving are NAT/NAPT changed
 as they flow through the bridge. But not anything else.


 tcpdump gets packets before any of the iptables etc handling gets done to
 them. So its useful to verify that the packets are arriving and/or leaving
 the NIC as expected. but not much help deciphering what is happening to them
 in the middle around where Squid sits.
  We have to rely on ebtables/iptables LOG functionality for those bits.


 I'm sorry I can't be of much more help. Beyond suggesting to try later
 versions of the software including kernel I've run out of ideas.

 Amos

Re: [squid-users] transparent proxy in squid3

[pplive]

Dear Amos,

Thanks a lot! By looking at your URL, I have enter the following
commands in my squid3 machine (my HTTP service is at PORT 8080), the
squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at
10.0.2.1, HTTP client (nodes) is at 10.0.1.1:

yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp
--dport 8080 -j ACCEPT
yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080
-j DNAT --to-destination 10.0.3.1:3128
yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport
3128 -j DROP

yeung@nodec1:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
ACCEPT tcp  --  nodec1-tblink-l9 anywheretcp dpt:http-alt
DNAT   tcp  --  anywhere anywheretcp
dpt:http-alt to:10.0.3.1:3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination
MASQUERADE  all  --  anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

yeung@nodec1:~$ sudo iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
DROP   tcp  --  anywhere anywheretcp dpt:3128

Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination

However, the proxy still has some problem, when we start wget from the
HTTP client
yeung@nodes:~$ wget 10.0.2.1:8080
--2012-03-04 09:31:39--  http://10.0.2.1:8080/
Connecting to 10.0.2.1:8080... ^C
yeung@nodes:~$

We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the
following message:
09:31:39.384558 IP nodes-links.51902  noder-linkr.http-alt: Flags
[S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
38022185 ecr 0,nop,wscale 6], length 0
09:31:42.379034 IP nodes-links.51902  noder-linkr.http-alt: Flags
[S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
38022935 ecr 0,nop,wscale 6], length 0

It seems that there were some HTTP-alt traffic coming in from the
switch, but no HTTP traffic going out of the squid3 machine.

I am really sorry for continuing this problem.

Best regards!

On Fri, Mar 2, 2012 at 7:39 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 3/03/2012 12:51 p.m., pplive wrote:

 Dear all,

 I try to configure a transparent web proxy through squid 3, here is
 the network topology

 Users -  Switch -  Internet

 Users means a couple of PCs, all of them have public IP, all of them
 are connected to a switch. One PC among them is designed to be a proxy
 machine. The switch is programmable, thus for the TCP packets with
 destination address 80, it can be re-directed to the proxy machine.
 For other packets, it will be forwarded further to the Internet. The
 programmable switch has been tested and works well.

 The proxy machine has installed squid3, the listening port is 3128,
 and we have configure 'http_port 3128 transparent' in squid.conf . One
 problem is this machine has only one NIC (eth0), thus we can not use
 the method proposed in

 http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables
 (using a bridge)

 I have tried several iptable settings, such as

 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
 --to-port 3128
 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
 xx.yy.zz.ii:3128

 Neither of them works.


 There are several other iptables rules involved, along with sysctl
 requirements. See
 http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

 the Squid 3.1 ptions is intercept for NAT interception proxy. Transparent
 proxy is something else.

 If you have any other problems after fixing all that check the switch is
 bypassing the redirect when the packets for port 80 come *out* of the squid
 box.

 Amos

Re: [squid-users] transparent proxy in squid3

[pplive]

Dear Amos,

On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 05.03.2012 06:40, pplive wrote:

 Dear Amos,

 Thanks a lot! By looking at your URL, I have enter the following
 commands in my squid3 machine (my HTTP service is at PORT 8080), the
 squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at
 10.0.2.1, HTTP client (nodes) is at 10.0.1.1:

 yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp
 --dport 8080 -j ACCEPT
 yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080
 -j DNAT --to-destination 10.0.3.1:3128
 yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
 yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport
 3128 -j DROP

 snip


 However, the proxy still has some problem, when we start wget from the
 HTTP client
 yeung@nodes:~$ wget 10.0.2.1:8080
 --2012-03-04 09:31:39--  http://10.0.2.1:8080/
 Connecting to 10.0.2.1:8080... ^C


 So far good (modulo the testing with port-8080 factor).


 yeung@nodes:~$

 We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the
 following message:
 09:31:39.384558 IP nodes-links.51902  noder-linkr.http-alt: Flags
 [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
 38022185 ecr 0,nop,wscale 6], length 0
 09:31:42.379034 IP nodes-links.51902  noder-linkr.http-alt: Flags
 [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
 38022935 ecr 0,nop,wscale 6], length 0

 It seems that there were some HTTP-alt traffic coming in from the
 switch, but no HTTP traffic going out of the squid3 machine.


 Is this a dump of all packets involving port 8080? or did you add an IP
 address or interface direction to hide some packets?
Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages
as follows (as the squid3 machine is connected to a programmable
switch):

19:20:32.892968 LLDP, name HP10e1, length 175
[|LLDP]
19:21:02.893220 LLDP, name HP10e1, length 175
[|LLDP]
19:21:32.926454 LLDP, name HP10e1, length 175
[|LLDP]
19:22:02.926704 LLDP, name HP10e1, length 175
[|LLDP]
19:22:32.926953 LLDP, name HP10e1, length 175
[|LLDP]
19:23:02.926954 LLDP, name HP10e1, length 175
[|LLDP]



 Does Squid already have a cached copy of the URL object being used as a
 test?

There is nothing in access.log

In store.log, there were something like:
1330884676.947 RELEASE -1  EF04955C9C3C77E5D1B6FF62A7A3FCD3
200 1330881076 1330881076-1 application/cache-digest 185/185
GET http://localhost:3128/squid-internal-periodic/store_digest
1330888276.971 RELEASE -1  68D3201BA065E81CE2C8EBCAFA5A09B7
200 1330884676 1330884676-1 application/cache-digest 185/185
GET http://localhost:3128/squid-internal-periodic/store_digest
1330891876.995 RELEASE -1  CD3C59C716DCC1044CB8CA3FDAA5FA87
200 1330888276 1330888276-1 application/cache-digest 185/185
GET http://localhost:3128/squid-internal-periodic/store_digest
1330901292.051 RELEASE -1  4C1B76CACC62E006B31038BD1ECA0E6C
200 1330897692 1330897692-1 application/cache-digest 185/185
GET http://localhost:3128/squid-internal-periodic/store_digest
1330904892.075 RELEASE -1  7C594B62FAFC7F6E089C2AB00A12F3DD
200 1330901292 1330901292-1 application/cache-digest 185/185
GET http://localhost:3128/squid-internal-periodic/store_digest
1330908492.099 RELEASE -1  7A850805E7A84AE3F1E4F6F459C808E4
200 1330904892 1330904892-1 application/cache-digest 185/185
GET http://localhost:3128/squid-internal-periodic/store_digest
1330912092.123 RELEASE -1  AB296C5B26704A2C167005139C0A42C1
200 1330908492 1330908492-1 application/cache-digest 185/185
GET http://localhost:3128/squid-internal-periodic/store_digest
1330915692.147 RELEASE -1  20640CFA0B07E42FC24ADB3D87C57338
200 1330912092 1330912092-1 application/cache-digest 185/185
GET http://localhost:3128/squid-internal-periodic/store_digest

Thanks a lot!


 Amos

[squid-users] transparent proxy in squid3

[pplive]

Dear all,

I try to configure a transparent web proxy through squid 3, here is
the network topology

Users - Switch - Internet

Users means a couple of PCs, all of them have public IP, all of them
are connected to a switch. One PC among them is designed to be a proxy
machine. The switch is programmable, thus for the TCP packets with
destination address 80, it can be re-directed to the proxy machine.
For other packets, it will be forwarded further to the Internet. The
programmable switch has been tested and works well.

The proxy machine has installed squid3, the listening port is 3128,
and we have configure 'http_port 3128 transparent' in squid.conf . One
problem is this machine has only one NIC (eth0), thus we can not use
the method proposed in
http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables
(using a bridge)

I have tried several iptable settings, such as

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
xx.yy.zz.ii:3128

Neither of them works.

Use 'tcpdump -i eth0' on the proxy machine, we can see the first
packet of every HTTP request, forwarded by the switch, but nothing
else.

Could somebody provide me some hints on this? Thanks a lot!

Best regards,
Alex Chan