[squid-users] instant reset

From: Aaron P. Martinez <[email protected]>
Date: Mon, 25 Apr 2005 12:47:34 -0500

I'm trying to get a transparent proxy working, but having no luck at
all. I have included my squid.conf below for scrutiny (it's mostly
uncommented so it's not huge).

my network is as such:

linux-ws = 192.168.3.69
squid = 192.168.2.2

linux-ws----linux-router1---linux-router2----INTERNET
                                |
                                |
                             squid

linux-router1 does my DNAT via:

iptables -t nat -A PREROUTING -i eth1 -s 192.168.3.64/27 -p tcp --dport
80 -j DNAT --to 192.168.2.2

when i telnet www.somedomain.com 80 i get the following error:

bash-3.00$ telnet www.hotbot.com 80
Trying 209.202.248.100...
telnet: connect to address 209.202.248.100: Connection refused
telnet: Unable to connect to remote host: Connection refused

tcpdump shows on linux-router1 one syn and one rst..

21:58:30.361794 192.168.3.69.52508 > 192.168.2.2.http: S [tcp sum ok]
2034534829:2034534829(0) win 5840 <mss 1460,sackOK,timestamp 906118859
0,nop,wscale 2> (DF) [tos 0x10] (ttl 64, id 53094, len 60)
21:58:30.362298 mia-hotbot.lycos.com.http > 192.168.3.69.52508: R [tcp
sum ok] 0:0(0) ack 2034534830 win 0 (DF) [tos 0x10] (ttl 62, id 5358,
len 40)

on linux-router2 on interface eth0 (coming from my network):
21:44:30.866510 aaron-workstation.example.com.52511 > 192.168.2.2.http:
S [tcp sum ok] 2172620125:2172620125(0) win 5840 <mss
1460,sackOK,timestamp 906262119 0,nop,wscale 2> (DF) [tos 0x10] (ttl
63, id 64314, len 60)
21:44:30.866766 192.168.2.2.http > aaron-workstation.example.com.52511:
R [tcp sum ok] 0:0(0) ack 2172620126 win 0 (DF) [tos 0x10] (ttl 63, id
5361, len 40)

on the squid machine i see:
21:58:15.984464 IP (tos 0x10, ttl 62, id 19790, offset 0, flags [DF],
proto 6, length: 60) 192.168.3.69.52509 > 192.168.2.2.http: S [tcp sum
ok] 2075217715:2075217715(0) win 5840 <mss 1460,sackOK,timestamp
906166909 0,nop,wscale 2>
21:58:16.072100 IP (tos 0x10, ttl 64, id 5359, offset 0, flags [DF],
proto 6, length: 40) 192.168.2.2.http > 192.168.3.69.52509: R [tcp sum
ok] 0:0(0) ack 2075217716 win 0

and on linux-router2 dsl interface I don't see any packets at all.

My setup works fine when i have it set up as a normal proxy and
configure the setting in firefox on my workstation.

squid.conf:
#http_port 3128
#ssl_unclean_shutdown
maximum_object_size 32768 KB
memory_replacement_policy heap LFUDA
#cache_dir aufs /var/spool/squid 6500 32 256
cache_dir ufs /var/spool/squid 6500 32 256
# log_ip_on_direct on
# log_mime_hdrs off
# useragent_log
# referer_log
# ftp_user Squid@
# ftp_passive on
# ftp_sanitycheck on
# redirect_program
# redirect_children 5
# redirector_access
# auth_parm

# ACL CONTROLS

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT

acl 64net src 192.168.3.64/27
acl 96net src 192.168.3.96/27
acl 128net src 192.168.3.128/27
acl 160net src 192.168.3.160/27
acl 192net src 192.168.3.192/27

#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

http_access allow 64net
http_access allow 96net

http_access allow localhost
http_access deny all

http_reply_access allow all

# cache_mgr root
# cache_effective_user squid
# cache_effective_group squid

# HTTPD-ACCELERATOR OPTIONS

httpd_accel_host virtual
# httpd_accel_host
httpd_accel_port 80
# httpd_accel_port 3128
httpd_accel_single_host off
# httpd_accel_with_proxy off
httpd_accel_with_proxy on
# httpd_accel_uses_host_header off
httpd_accel_uses_host_header on

# MISCELLANEOUS

logfile_rotate 30
# append_domain .yourdomain.com
# err_html_text
# memory_pools on
# forwarded_for on

# TAG: cachemgr_passwd
# Specify passwords for cachemgr operations.
#
# Usage: cachemgr_passwd password action action ...
#
# Some valid actions are (see cache manager menu for a full list):
#Example:
# cachemgr_passwd secret shutdown
# cachemgr_passwd lesssssssecret info stats/objects
# cachemgr_passwd disable all
#
#Default:
# none

# client_db on
# always_direct
# never_direct
#chroot
# client_persistent_connections on
# server_persistent_connections on

# TAG: high_response_time_warning (msec)
# If the one-minute median response time exceeds this value,
# Squid prints a WARNING with debug level 0 to get the
# administrators attention. The value is in milliseconds.
#
#Default:
# high_response_time_warning 0
# TAG: high_page_fault_warning
# If the one-minute average page fault rate exceeds this
# value, Squid prints a WARNING with debug level 0 to get
# the administrators attention. The value is in page faults
# per second.
#
#Default:
# high_page_fault_warning 0

# TAG: high_memory_warning
# If the memory usage (as determined by mallinfo) exceeds
# value, Squid prints a WARNING with debug level 0 to get
# the administrators attention.
#
#Default:
# high_memory_warning 0

# ie_refresh off

Thanks in advance,

Aaron Martinez
Received on Mon Apr 25 2005 - 11:47:49 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:04 MDT