Dear Amos,
To see whether there were some internal firewall in my system , I
tried a simpler topology, i.e.,
Client (10.0.0.1) (eth0) -> (eth0) Squid3 (eth1) -> (eth0) Server (10.0.0.2)
I just follow the setting in
http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6
--ip-destination-port 8080 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j REDIRECT
--to-port 3128
According to tcpdump, we can see the packets are forwarded to port 3128
(I use wget 10.0.0.2:8080 at the client)
14:04:50.282381 IP 10.0.0.1.33088 > 10.0.0.10.3128: Flags [S], seq
388132433, win 5840, options [mss 1460,sackOK,TS val 1028407 ecr
0,nop,wscale 6], length 0
14:04:53.212426 IP 10.0.0.1.33088 > 10.0.0.10.3128: Flags [S], seq
388132433, win 5840, options [mss 1460,sackOK,TS val 1029157 ecr
0,nop,wscale 6], length 0
Still, I am confusing of using one NIC, how can I redirect the packets
to port 3128.
Thanks a lot!
Best regards,
Alex
On Mon, Mar 5, 2012 at 4:19 PM, pplive <p2pnet10_at_googlemail.com> wrote:
> Dear Amos,
>
> I did restart the networking.
>
> When I just to review all iptables settings, from tcpdump we can see
>
> 09:35:23.830038 IP nodes-links.37711 > noder-linkr.http-alt: Flags
> [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val
> 59678297 ecr 0,nop,wscale 6], length 0
> 09:35:26.827763 IP nodes-links.37711 > noder-linkr.http-alt: Flags
> [S], seq 3652549612, win 5840, options [mss 1460,sackOK,TS val
> 59679047 ecr 0,nop,wscale 6], length 0
> 09:35:28.828079 ARP, Request who-has noder-linkr tell nodes-links, length 46
>
> I think the nodec1 (my squid3 machine) is even able to start an ARP query.
>
> My OS is Ubuntu, kernel version
> yeung_at_nodec1:/etc/squid3$ uname -r
> 2.6.32-34-generic-pae
>
> I have checked the rp_filter setting, it has been disabled.
>
> Sorry for causing you trouble.
>
> Best,
> Alex
>
>
> On Mon, Mar 5, 2012 at 4:56 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 5/03/2012 4:29 p.m., pplive wrote:
>>>
>>> Dear Amos,
>>>
>>>
>>> On Sun, Mar 4, 2012 at 9:44 PM, Amos Jeffries wrote:
>>>>
>>>> On 05.03.2012 06:40, pplive wrote:
>>>>>
>>>>> Dear Amos,
>>>>>
>>>>> Thanks a lot! By looking at your URL, I have enter the following
>>>>> commands in my squid3 machine (my HTTP service is at PORT 8080), the
>>>>> squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at
>>>>> 10.0.2.1, HTTP client (nodes) is at 10.0.1.1:
>>>>>
>>>>> yeung_at_nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp
>>>>> --dport 8080 -j ACCEPT
>>>>> yeung_at_nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080
>>>>> -j DNAT --to-destination 10.0.3.1:3128
>>>>> yeung_at_nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
>>>>> yeung_at_nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport
>>>>> 3128 -j DROP
>>>>>
>>>> <snip>
>>>>
>>>>
>>>>> However, the proxy still has some problem, when we start wget from the
>>>>> HTTP client
>>>>> yeung_at_nodes:~$ wget 10.0.2.1:8080
>>>>> --2012-03-04 09:31:39-- http://10.0.2.1:8080/
>>>>> Connecting to 10.0.2.1:8080... ^C
>>>>
>>>>
>>>> So far good (modulo the testing with port-8080 factor).
>>>>
>>>>
>>>>> yeung_at_nodes:~$
>>>>>
>>>>> We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the
>>>>> following message:
>>>>> 09:31:39.384558 IP nodes-links.51902> noder-linkr.http-alt: Flags
>>>>> [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
>>>>> 38022185 ecr 0,nop,wscale 6], length 0
>>>>> 09:31:42.379034 IP nodes-links.51902> noder-linkr.http-alt: Flags
>>>>> [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val
>>>>> 38022935 ecr 0,nop,wscale 6], length 0
>>>>>
>>>>> It seems that there were some HTTP-alt traffic coming in from the
>>>>> switch, but no HTTP traffic going out of the squid3 machine.
>>>>>
>>>> Is this a dump of all packets involving port 8080? or did you add an IP
>>>> address or interface direction to hide some packets?
>>>
>>> Yes, I use 'sudo tcpdump -i eth0', and I have skip some LLDP messages
>>> as follows (as the squid3 machine is connected to a programmable
>>> switch):
>>
>>
>>>> Does Squid already have a cached copy of the URL object being used as a
>>>> test?
>>>
>>> There is nothing in access.log
>>
>>
>> I'm thinking it is probably something in the kernel security controls then.
>> SELinux can block interception because it is an MITM attack on the clients.
>> Also rp_filter can block the TCP connections in strange places and show up
>> like this. Did you restart the networking on the squid box after changing
>> sysctl.conf (/etc/init.d/networking restart)
>>
>> Amos
Received on Mon Mar 05 2012 - 22:09:42 MST
This archive was generated by hypermail 2.2.0 : Tue Mar 06 2012 - 12:00:02 MST