[squid-users] Squid + Tproxy + Bridge mode + squidguard

From: Francisco Andr� Barbosa Neto <fneto_at_networkexplorer.com.br>
Date: Thu, 30 Jun 2011 14:57:13 -0300

Hi all I'm new to the list and I decided to write here because I'm with a
big trouble!

I have installed an squid in bridge mode with tproxy support.

Everything is working ok, but I'm using in the same squid proxy squidguard
as an redirector.

The problem is when the client try to access an url that is blocked squid
can't receive the redirect header and page stay loading for a long time
until squid return an error telling that is impossible to access the site
http://<ip of my bridge interface>/negado.html

If I click on the link the page opens normally!!

Does anybody have any clue about this problem???

Below is my server information:

CentOS 5.6
Kernel 2.6.31-14 with all the Tproxy support enabled and ok!
Iptables 1.4.10 with iptables supporte
Libcap 2.19 installed
Squid 3.1.8 with Tproxy support ok!

Routes.sh script (called from /etc/rc.d/rc.local
#!/bin/sh

ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -F
iptables -t mangle -X DIVERT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129

##!/bin/sh
CLIENT_IFACE="eth0"
INET_IFACE="eth1"

ebtables -t broute -F
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target ACCEPT

cd /proc/sys/net/bridge/

for i in *
 do
   echo 0 > $i
 done
unset i

Changes in /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.netfilter.nf_conntrack_acct = 1
net.ipv4.conf.lo.rp_filter = 0

Squidguard.conf
dbhome /var/lib/squidguard
logdir /var/log/squidguard

src admin {
        ip 192.168.10.96
}

dest negados {
    domainlist negados
}

acl {
        admin {
                pass !negados all
                redirect http://192.168.10.61:90/negado.html
        }

        default {
                pass none
                redirect http://192.168.10.61:90/negado.html
                }
}

Apache is listening on port 90, I've already tried in port 80 without
success too

Squid.conf (relevant part only)
http_port 3128
http_port 3129 tproxy
tcp_outgoing_address 192.168.10.61
icp_port 3130

url_rewrite_program /usr/bin/squidguard -c /etc/squid/squidguard.conf
url_rewrite_children 5

acl manager proto cache_object
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.1
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 1025-65535 8083 88 90
acl CONNECT method CONNECT
#acl msn url_regex -i /gateway/gateway.dll
#acl autenticado proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#acl liberados src 192.168.0.71 192.168.0.99
acl our_networks src 192.168.10.0/24
#http_access allow liberados
#http_access deny msn
#http_access allow autenticado
http_access allow our_networks
http_access deny all
http_reply_access allow our_networks
icp_access allow all
miss_access allow all

Thanks!!

------------------------------------------------------
Francisco Andr� Barbosa Neto
fneto_at_getsmart.com.br <mailto:fneto_at_networkexplorer.com.br>
Get Smart IT Solutions
http://www.getsmart.com.br <http://www.getsmart.com.br/>
Fone: 55-11-4655-2232
------------------------------------------------------
Received on Thu Jun 30 2011 - 17:57:28 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 12:00:03 MDT