Amos, Do you have an idea as to what I am doing wrong here?
Thanks, On Fri, Feb 22, 2013 at 12:40 PM, Roman Gelfand <rgelfa...@gmail.com> wrote: > Thanks for taking time to help me out. > > If I understood you correctly, I think I made the changes you > mentioned including iptables -A FORWARD -i eth0 -j ACCEPT line. > > still no luck. Below, is the is the diagnostics. > > Chain PREROUTING (policy ACCEPT 13 packets, 8499 bytes) > pkts bytes target prot opt in out source > destination > 337 93649 ACCEPT all -- any any anywhere > 192.168.8.21 > 226 48201 DIVERT tcp -- any any anywhere > anywhere socket > 0 0 TPROXY tcp -- any any anywhere > anywhere tcp dpt:www TPROXY redirect 0.0.0.0:3228 mark > 0x1/0x1 > 0 0 TPROXY tcp -- any any anywhere > anywhere tcp dpt:https TPROXY redirect 0.0.0.0:3229 mark > 0x1/0x1 > > Chain INPUT (policy ACCEPT 576 packets, 150K bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 644 packets, 135K bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 644 packets, 135K bytes) > pkts bytes target prot opt in out source > destination > > Chain DIVERT (1 references) > pkts bytes target prot opt in out source > destination > 226 48201 MARK all -- any any anywhere > anywhere MARK set 0x1 > 226 48201 ACCEPT all -- any any anywhere anywhere > > > On Fri, Feb 22, 2013 at 2:14 AM, Amos Jeffries <squ...@treenet.co.nz> wrote: >> On 22/02/2013 5:07 p.m., Roman Gelfand wrote: >>> >>> On Thu, Feb 21, 2013 at 6:10 PM, Amos Jeffries <squ...@treenet.co.nz> >>> wrote: >>>> >>>> On 22/02/2013 11:03 a.m., Roman Gelfand wrote: >>>>> >>>>> Please, find below the network topology, squid.conf and rc.local >>>>> configuration files. It appears that the squid is not routing the >>>>> http requests. I am not sure what I am doing wrong here >>>>> Please note, the same squid.conf works on transparent proxy (non >>>>> tproxy), for the exception of tproxy keyword and service changes. >>>>> Thanks in advance, >>>>> >>>>> WAN >>>>> || >>>>> || >>>>> wccp/gre tunnel || >>>>> squid==============================Fortigate FW/RT Int ip 1 192.168.8.1 >>>>> 3.3 || Int ip 2 >>>>> 192.168.11.1 >>>>> ip: 192.168.8.21 || Ext ip XX.XX.XXX.24 >>>>> || >>>>> || >>>>> WLAN Router Int. ip >>>>> 192.168.11.32 Ext. ip 192.168.7.1 >>>>> || >>>>> || >>>>> || >>>>> Client Workstation 192.168.7.110 >>>>> >>>>> >>>>> #!/bin/sh -e >>>>> # >>>>> # rc.local >>>>> # >>>>> # This script is executed at the end of each multiuser runlevel. >>>>> # Make sure that the script will "exit 0" on success or any other >>>>> # value on error. >>>>> # >>>>> # In order to enable or disable this script just change the execution >>>>> # bits. >>>>> # >>>>> # By default this script does nothing. >>>>> # GRE Tunnel : >>>>> echo "Loading modules.." >>>>> modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre >>>>> >>>>> LOCALIP="192.168.8.21" >>>>> FORTIDIRIP="192.168.8.1" >>>>> FORTIIPID="XX.XX.XXX.254" >>>>> echo "changing routing and reverse path stuff.." >>>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >>>> >>>> >>>> What about rp_filter on eth0 where the traffic is actually exiting the >>>> Squid >>>> box? >>> >>> Could you elaborate on this.. >> >> >> What rp_filter does is prevent packets from local software using that >> interface from using IP addresses that do not belong to that box. >> >> The purpose of TPROXY being to spoof the _clients_ IP address on outgoing >> trafffic. Which does not leave the machine on lo, but through eth0 or some >> other interface. >> >> >> Amos
