[squid-users] Strange work of Tproxy

From: äÍÉÔÒÉÊ íÑÓÎÉËÏ× <jamaica.d.a_at_gmail.com>
Date: Fri, 27 Aug 2010 18:06:08 +0400

Hello!
Tproxy works in strange way on my Debian Squeeze Machine
Everything was made using this manual
http://wiki.squid-cache.org/Features/Tproxy4 but all I see in
access.log MISS/000 and MISS/503. Intenet doesn't work in proper way.
Info about my server:

root_at_proxy:~# uname -a
Linux proxy 2.6.30-2-686 #1 SMP Fri Dec 4 00:53:20 UTC 2009 i686 GNU/Linux

squid was installed from repository
root_at_proxy:~# squid3 -v
Squid Cache: Version 3.1.6
configure options: '--build=i486-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--srcdir=.' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
'--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--disable-translation'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS='
'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall -O2'
--with-squid=/home/luigi/debian/squid3/build-area/squid3-3.1.6

config was modifified by adding ():
http_port 3129 tproxy
acl localnet src 192.168.1.0/24
http_access allow localnet

root_at_proxy:~# aptitude show libcap2 libcap-dev
Package: libcap2
State: installed
Automatically installed: no
Version: 1:2.19-3
Priority: standard
Section: libs
Maintainer: Torsten Werner <twerner_at_debian.org>
Uncompressed Size: 69.6k
Depends: libattr1 (>= 2.4.41-1), libc6 (>= 2.3)
Description: support for getting/setting POSIX.1e capabilities
 This library implements the user-space interfaces to the POSIX
1003.1e capabilities available in Linux kernels. These capabilities
are a partitioning of the
 all powerful root privilege into a set of distinct privileges.
Homepage: http://sites.google.com/site/fullycapable/

Package: libcap-dev
State: installed
Automatically installed: no
Version: 1:2.19-3
Priority: optional
Section: libdevel
Maintainer: Torsten Werner <twerner_at_debian.org>
Uncompressed Size: 111k
Depends: libcap2 (= 1:2.19-3)
Suggests: manpages-dev
Conflicts: libcap2-dev
Replaces: libcap2-dev
Provides: libcap2-dev
Description: development libraries and header files for libcap2
 Contains the necessary support for building applications that use capabilities.
Homepage: http://sites.google.com/site/fullycapable/

root_at_proxy:~# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
prevent_tproxy_loop tcp -- anywhere anywhere socket
TPROXY tcp -- anywhere anywhere tcp
dpt:www TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain prevent_tproxy_loop (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
ACCEPT all -- anywhere anywhere

What can I do in this situation?
Received on Fri Aug 27 2010 - 14:06:10 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 27 2010 - 12:00:04 MDT