[squid-users] Problem with linux 2.4, bridge, transparent squid on remote box

From: Mike Jett <[email protected]>
Date: 02 Oct 2003 11:22:08 -0500

I'm having difficulty getting squid to respond to requests in a
transparent proxy configuration. My setup looks like this:

--------------------
|Router to internet| 10.0.5.254, 10.0.6.254
--------------------
      |
      |
-------------------- ---------------
| Bridge Linux 2.4 |--------------| Squid Proxy | 10.0.6.10
-------------------- ---------------
      |
      |
--------------------
| Local machines | 10.0.5.0/24, 10.0.6.0/24
--------------------

The bridge forwards traffic like it is supposed to. On a local machine,
I can specify the address for the squid proxy in a browser and it works
perfectly. However, I cannot get the squid to operate transparently.

On the bridge machine, I have the following (sanitized addresses):
iptables -t nat -A PREROUTING -i br0 -p tcp -s 10.0.5.5 --dport 80 -j
DNAT --to 10.0.6.10

On the Squid:
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.5.0/24 --dport 80
-j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 10.0.6.0/24 --dport 80
-j REDIRECT --to-port 8080

tcpdump on the squid box shows:
00:01:34.814875 10.0.5.5.50683 > 10.0.6.10.http: S
3918644985:3918644985(0) win 5840 <mss 1460,sackOK,timestamp 76272665
0,nop,wscale 0> (DF)
00:01:34.814907 10.0.6.10.http > 10.0.5.5.50683: S
3415903903:3415903903(0) ack 3918644986 win 5792 <mss
1460,sackOK,timestamp 4536479 76270565,nop,wscale 0> (DF)
00:01:36.021932 10.0.6.10.http > 10.0.5.5.50683: S
3415903903:3415903903(0) ack 3918644986 win 5792 <mss
1460,sackOK,timestamp 4536600 76270565,nop,wscale 0> (DF)
00:02:00.221921 10.0.6.10.http > 10.0.5.5.50683: S
3415903903:3415903903(0) ack 3918644986 win 5792 <mss
1460,sackOK,timestamp 4539020 76270565,nop,wscale 0> (DF)
00:02:48.421921 10.0.6.10.http > 10.0.5.5.50683: S
3415903903:3415903903(0) ack 3918644986 win 5792 <mss
1460,sackOK,timestamp 4543840 76270565,nop,wscale 0> (DF)

This is repeated a couple of times before the browser times out. The
same browser can have the proxy configured to this squid box and it
works perfectly.

In /usr/local/squid/etc/squid.conf I have:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

I've spent two days in the mailing lists, and have tried divert,
different firewall rules, and everything else I could think of. I've
done this several times where the squid box was on the bridge, but can't
put squid on the bridge in this case. I have also tried squid with and
without the --enable-linux-netfilter option in configure after a make
distclean.

The packets are getting to the squid box, and iptables is redirecting
them, the counts in iptables -L -t nat -v are increasing. It seems
squid is not handling them, or not handling them properly. If I shut
down squid I immediately get a connection refused instead of timing out,
so it appears squid is at least accepting the connection. I'm stumped.

Any ideas?

Mike
Received on Thu Oct 02 2003 - 10:22:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:16 MST