Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

it appears to me as if it's redirecting to port 3128 but its not 
getting a reply from squid - the squid access log does not show the 
access at all as if it never received the packet


Jan 12 14:52:21 proxyhost IN=eth0 OUT= 
MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 
DST=216.239.37.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47715 DF 
PROTO=TCP SPT=53036 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 12 14:52:21 proxyhost IN=eth0 OUT= 
MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 
DST=10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47715 DF PROTO=TCP 
SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 12 14:52:24 proxyhost IN=eth0 OUT= 
MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47717 DF PROTO=TCP 
SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 12 14:52:27 proxyhost IN=eth0 OUT= 
MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47719 DF PROTO=TCP 
SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 12 14:52:30 proxyhost IN=eth0 OUT= 
MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47721 DF PROTO=TCP 
SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 12 14:52:33 proxyhost IN=eth0 OUT= 
MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47724 DF PROTO=TCP 
SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 12 14:52:36 proxyhost IN=eth0 OUT= 
MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47726 DF PROTO=TCP 
SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 12 14:52:42 proxyhost IN=eth0 OUT= 
MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47739 DF PROTO=TCP 
SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 12 14:52:54 proxyhost IN=eth0 OUT= 
MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47743 DF PROTO=TCP 
SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0

On Saturday, January 10, 2004, at 12:26  AM, Alistair Tonner wrote:
>
> 	Have you tried LOGging the INPUT chain for both 80 and 3128?
> 	Or, perhaps more thorough, put a LOG rule in PREROUTING
> 	before the REDIRECT/DNAT rule to log what you will change,
> 	and since your destination is local, a LOG rule at the top of INPUT
> 	to catch *everything* for the interim? -- then see at what point
> 	the packets are actually disappearing.
> 	

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

If i access the proxyhost directly on port 80 i can see the request to 
the local host on 3128 and then i see a request from the local host to 
the remote proxy site and everything works fine - the squid log shows 
the access.  I'm not really sure what to do at this point i've been 
trying any rule i can think of and i have a bunch of logging rules in 
now to try to figure out what's going wrong but i'm not getting any 
more information than what you see below.

If i can't get this working by the end of the night, i'll probably have 
no choice but to format reinstall and try to get back to a working 
configuration which i really don't want to do because i have a lot of 
software installed and configured on that machine that i will have to 
rebuild.

Peter Schobel
~

On Monday, January 12, 2004, at 03:04  PM, Peter Schobel wrote:

> it appears to me as if it's redirecting to port 3128 but its not 
> getting a reply from squid - the squid access log does not show the 
> access at all as if it never received the packet
>
>
> Jan 12 14:52:21 proxyhost IN=eth0 OUT= 
> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 
> DST=216.239.37.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47715 DF 
> PROTO=TCP SPT=53036 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
> Jan 12 14:52:21 proxyhost IN=eth0 OUT= 
> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 
> DST=10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47715 DF PROTO=TCP 
> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> Jan 12 14:52:24 proxyhost IN=eth0 OUT= 
> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> 10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47717 DF PROTO=TCP 
> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> Jan 12 14:52:27 proxyhost IN=eth0 OUT= 
> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> 10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47719 DF PROTO=TCP 
> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> Jan 12 14:52:30 proxyhost IN=eth0 OUT= 
> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47721 DF PROTO=TCP 
> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> Jan 12 14:52:33 proxyhost IN=eth0 OUT= 
> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47724 DF PROTO=TCP 
> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> Jan 12 14:52:36 proxyhost IN=eth0 OUT= 
> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47726 DF PROTO=TCP 
> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> Jan 12 14:52:42 proxyhost IN=eth0 OUT= 
> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47739 DF PROTO=TCP 
> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> Jan 12 14:52:54 proxyhost IN=eth0 OUT= 
> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47743 DF PROTO=TCP 
> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
>
> On Saturday, January 10, 2004, at 12:26  AM, Alistair Tonner wrote:
>>
>> 	Have you tried LOGging the INPUT chain for both 80 and 3128?
>> 	Or, perhaps more thorough, put a LOG rule in PREROUTING
>> 	before the REDIRECT/DNAT rule to log what you will change,
>> 	and since your destination is local, a LOG rule at the top of INPUT
>> 	to catch *everything* for the interim? -- then see at what point
>> 	the packets are actually disappearing.
>> 	
>
>
>
*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[John A. Sullivan III]

Hmmm . . . your rules do indeed look wide open.  Have you double checked
silly things like making sure all the policies are ACCEPT and squid can
resolve names using DNS? Is there any chance that squid does not like
2.6?

On Mon, 2004-01-12 at 15:57, Peter Schobel wrote:
> If i access the proxyhost directly on port 80 i can see the request to 
> the local host on 3128 and then i see a request from the local host to 
> the remote proxy site and everything works fine - the squid log shows 
> the access.  I'm not really sure what to do at this point i've been 
> trying any rule i can think of and i have a bunch of logging rules in 
> now to try to figure out what's going wrong but i'm not getting any 
> more information than what you see below.
> 
> If i can't get this working by the end of the night, i'll probably have 
> no choice but to format reinstall and try to get back to a working 
> configuration which i really don't want to do because i have a lot of 
> software installed and configured on that machine that i will have to 
> rebuild.
> 
> Peter Schobel
> ~
> 
> On Monday, January 12, 2004, at 03:04  PM, Peter Schobel wrote:
> 
> > it appears to me as if it's redirecting to port 3128 but its not 
> > getting a reply from squid - the squid access log does not show the 
> > access at all as if it never received the packet
> >
> >
> > Jan 12 14:52:21 proxyhost IN=eth0 OUT= 
> > MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 
> > DST=216.239.37.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47715 DF 
> > PROTO=TCP SPT=53036 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
> > Jan 12 14:52:21 proxyhost IN=eth0 OUT= 
> > MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 
> > DST=10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47715 DF PROTO=TCP 
> > SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> > Jan 12 14:52:24 proxyhost IN=eth0 OUT= 
> > MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> > 10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47717 DF PROTO=TCP 
> > SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> > Jan 12 14:52:27 proxyhost IN=eth0 OUT= 
> > MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> > 10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47719 DF PROTO=TCP 
> > SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> > Jan 12 14:52:30 proxyhost IN=eth0 OUT= 
> > MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> > 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47721 DF PROTO=TCP 
> > SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> > Jan 12 14:52:33 proxyhost IN=eth0 OUT= 
> > MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> > 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47724 DF PROTO=TCP 
> > SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> > Jan 12 14:52:36 proxyhost IN=eth0 OUT= 
> > MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> > 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47726 DF PROTO=TCP 
> > SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> > Jan 12 14:52:42 proxyhost IN=eth0 OUT= 
> > MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> > 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47739 DF PROTO=TCP 
> > SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> > Jan 12 14:52:54 proxyhost IN=eth0 OUT= 
> > MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST= 
> > 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47743 DF PROTO=TCP 
> > SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> >
> > On Saturday, January 10, 2004, at 12:26  AM, Alistair Tonner wrote:
> >>
> >> 	Have you tried LOGging the INPUT chain for both 80 and 3128?
> >> 	Or, perhaps more thorough, put a LOG rule in PREROUTING
> >> 	before the REDIRECT/DNAT rule to log what you will change,
> >> 	and since your destination is local, a LOG rule at the top of INPUT
> >> 	to catch *everything* for the interim? -- then see at what point
> >> 	the packets are actually disappearing.
> >> 	
> >
> >
> >
> *****************************
> Peter Schobel
> Network Administrator
> Porchlight.ca
> Unlimited Internet
> *****************************
> In a world without walls or fences
> We will have no need for gates or windows
> *****************************
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

yes all policies are set to ACCEPT and I assume that squid is working 
fine since it works well by using the proxyhost on port 80 and 3128 or 
by manually configuring the proxy in the browser

On Monday, January 12, 2004, at 04:31  PM, John A. Sullivan III wrote:

> Hmmm . . . your rules do indeed look wide open.  Have you double 
> checked
> silly things like making sure all the policies are ACCEPT and squid can
> resolve names using DNS? Is there any chance that squid does not like
> 2.6?
>
> On Mon, 2004-01-12 at 15:57, Peter Schobel wrote:
>> If i access the proxyhost directly on port 80 i can see the request to
>> the local host on 3128 and then i see a request from the local host to
>> the remote proxy site and everything works fine - the squid log shows
>> the access.  I'm not really sure what to do at this point i've been
>> trying any rule i can think of and i have a bunch of logging rules in
>> now to try to figure out what's going wrong but i'm not getting any
>> more information than what you see below.
>>
>> If i can't get this working by the end of the night, i'll probably 
>> have
>> no choice but to format reinstall and try to get back to a working
>> configuration which i really don't want to do because i have a lot of
>> software installed and configured on that machine that i will have to
>> rebuild.
>>
>> Peter Schobel
>> ~
>>
>> On Monday, January 12, 2004, at 03:04  PM, Peter Schobel wrote:
>>
>>> it appears to me as if it's redirecting to port 3128 but its not
>>> getting a reply from squid - the squid access log does not show the
>>> access at all as if it never received the packet
>>>
>>>
>>> Jan 12 14:52:21 proxyhost IN=eth0 OUT=
>>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163
>>> DST=216.239.37.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47715 DF
>>> PROTO=TCP SPT=53036 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
>>> Jan 12 14:52:21 proxyhost IN=eth0 OUT=
>>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163
>>> DST=10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47715 DF PROTO=TCP
>>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
>>> Jan 12 14:52:24 proxyhost IN=eth0 OUT=
>>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
>>> 10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47717 DF PROTO=TCP
>>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
>>> Jan 12 14:52:27 proxyhost IN=eth0 OUT=
>>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
>>> 10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47719 DF PROTO=TCP
>>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
>>> Jan 12 14:52:30 proxyhost IN=eth0 OUT=
>>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
>>> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47721 DF PROTO=TCP
>>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
>>> Jan 12 14:52:33 proxyhost IN=eth0 OUT=
>>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
>>> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47724 DF PROTO=TCP
>>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
>>> Jan 12 14:52:36 proxyhost IN=eth0 OUT=
>>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
>>> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47726 DF PROTO=TCP
>>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
>>> Jan 12 14:52:42 proxyhost IN=eth0 OUT=
>>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
>>> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47739 DF PROTO=TCP
>>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
>>> Jan 12 14:52:54 proxyhost IN=eth0 OUT=
>>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
>>> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47743 DF PROTO=TCP
>>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
>>>
>>> On Saturday, January 10, 2004, at 12:26  AM, Alistair Tonner wrote:
>>>>
>>>> 	Have you tried LOGging the INPUT chain for both 80 and 3128?
>>>> 	Or, perhaps more thorough, put a LOG rule in PREROUTING
>>>> 	before the REDIRECT/DNAT rule to log what you will change,
>>>> 	and since your destination is local, a LOG rule at the top of INPUT
>>>> 	to catch *everything* for the interim? -- then see at what point
>>>> 	the packets are actually disappearing.
>>>> 	
>>>
>>>
>>>
>> *****************************
>> Peter Schobel
>> Network Administrator
>> Porchlight.ca
>> Unlimited Internet
>> *****************************
>> In a world without walls or fences
>> We will have no need for gates or windows
>> *****************************
> -- 
> John A. Sullivan III
> Chief Technology Officer
> Nexus Management
> +1 207-985-7880
> john.sullivan@nexusmgmt.com
>
>
*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Arthur Meyer]

Have you compiled netfilter with the option --with linux netfilter and set the 
transparent proxy instructions in squid?
Arthur


On Monday 12 January 2004 23:45, Peter Schobel wrote:
> yes all policies are set to ACCEPT and I assume that squid is working
> fine since it works well by using the proxyhost on port 80 and 3128 or
> by manually configuring the proxy in the browser
>
> On Monday, January 12, 2004, at 04:31  PM, John A. Sullivan III wrote:
> > Hmmm . . . your rules do indeed look wide open.  Have you double
> > checked
> > silly things like making sure all the policies are ACCEPT and squid can
> > resolve names using DNS? Is there any chance that squid does not like
> > 2.6?
> >
> > On Mon, 2004-01-12 at 15:57, Peter Schobel wrote:
> >> If i access the proxyhost directly on port 80 i can see the request to
> >> the local host on 3128 and then i see a request from the local host to
> >> the remote proxy site and everything works fine - the squid log shows
> >> the access.  I'm not really sure what to do at this point i've been
> >> trying any rule i can think of and i have a bunch of logging rules in
> >> now to try to figure out what's going wrong but i'm not getting any
> >> more information than what you see below.
> >>
> >> If i can't get this working by the end of the night, i'll probably
> >> have
> >> no choice but to format reinstall and try to get back to a working
> >> configuration which i really don't want to do because i have a lot of
> >> software installed and configured on that machine that i will have to
> >> rebuild.
> >>
> >> Peter Schobel
> >> ~
> >>
> >> On Monday, January 12, 2004, at 03:04  PM, Peter Schobel wrote:
> >>> it appears to me as if it's redirecting to port 3128 but its not
> >>> getting a reply from squid - the squid access log does not show the
> >>> access at all as if it never received the packet
> >>>
> >>>
> >>> Jan 12 14:52:21 proxyhost IN=eth0 OUT=
> >>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163
> >>> DST=216.239.37.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47715 DF
> >>> PROTO=TCP SPT=53036 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
> >>> Jan 12 14:52:21 proxyhost IN=eth0 OUT=
> >>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163
> >>> DST=10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47715 DF PROTO=TCP
> >>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> >>> Jan 12 14:52:24 proxyhost IN=eth0 OUT=
> >>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
> >>> 10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47717 DF PROTO=TCP
> >>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> >>> Jan 12 14:52:27 proxyhost IN=eth0 OUT=
> >>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
> >>> 10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=47719 DF PROTO=TCP
> >>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> >>> Jan 12 14:52:30 proxyhost IN=eth0 OUT=
> >>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
> >>> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47721 DF PROTO=TCP
> >>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> >>> Jan 12 14:52:33 proxyhost IN=eth0 OUT=
> >>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
> >>> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47724 DF PROTO=TCP
> >>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> >>> Jan 12 14:52:36 proxyhost IN=eth0 OUT=
> >>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
> >>> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47726 DF PROTO=TCP
> >>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> >>> Jan 12 14:52:42 proxyhost IN=eth0 OUT=
> >>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
> >>> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47739 DF PROTO=TCP
> >>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> >>> Jan 12 14:52:54 proxyhost IN=eth0 OUT=
> >>> MAC=00:04:75:fb:a6:e1:00:d0:52:04:43:5a:08:00 SRC=64.187.35.163 DST=
> >>> 10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=47743 DF PROTO=TCP
> >>> SPT=53036 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
> >>>
> >>> On Saturday, January 10, 2004, at 12:26  AM, Alistair Tonner wrote:
> >>>> 	Have you tried LOGging the INPUT chain for both 80 and 3128?
> >>>> 	Or, perhaps more thorough, put a LOG rule in PREROUTING
> >>>> 	before the REDIRECT/DNAT rule to log what you will change,
> >>>> 	and since your destination is local, a LOG rule at the top of INPUT
> >>>> 	to catch *everything* for the interim? -- then see at what point
> >>>> 	the packets are actually disappearing.
> >>
> >> *****************************
> >> Peter Schobel
> >> Network Administrator
> >> Porchlight.ca
> >> Unlimited Internet
> >> *****************************
> >> In a world without walls or fences
> >> We will have no need for gates or windows
> >> *****************************
> >
> > --
> > John A. Sullivan III
> > Chief Technology Officer
> > Nexus Management
> > +1 207-985-7880
> > john.sullivan@nexusmgmt.com
>
> *****************************
> Peter Schobel
> Network Administrator
> Porchlight.ca
> Unlimited Internet
> *****************************
> In a world without walls or fences
> We will have no need for gates or windows
> *****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

I tried your rule - it didn't help but from my understanding i 
shouldn't need rules like that since my input , output and forward 
policies are set to default ACCEPT

Peter Schobel

On Sunday, January 11, 2004, at 12:00  PM, Mark E. Donaldson wrote:

> I haven't been following all of this Peter, but it would seem you now 
> need
> to add a rule allow the packets to get through the FORWARD chain now 
> that
> they have been successfully REDIRECTED.  Try something like:
>
> $IPT -t filter -A FORWARD -i eth0 -p tcp --dport 3128 -j ACCEPT
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Peter Schobel
> Sent: Friday, January 09, 2004 6:09 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Problems with Transparent Proxy using IPTables, Squid and 
> 2.6
> kernel
>
> ok, I removed the error line and the cat autoconf line from the 
> config.h and
> got iptables 1.2.9 to compile against my kernel source and headers and
> reinstalled
>
> if i turn on ip_forward and try to access external sites, i get 
> forwarded
> through to the external page without problem
>
> if i enable the iptables rule
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> my pages just time out when i try to access external sites
>
> but if i try to access the proxyhost directly using http, it redirects 
> me to
> the proxy site without problem
>
> i get exactly the same results using this rule
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT 
> --to-destination
> $LOCALHOST:3128
>
> does anyone have any idea why traffic destined for external sites will 
> not
> transparently redirect to squid for me?
>
> does anyone have any idea as to what further steps I can take to
> troubleshoot this problem?
>
> Thx in advance,
>
> Peter Schobel
>
> On Thursday, January 8, 2004, at 09:33  PM, Alistair Tonner wrote:
>
>> On January 8, 2004 03:05 pm, Peter Schobel wrote:
>>> ok, I downloaded the source ball for iptables 1.2.9, and compiled
>>> using
>>>
>>> make KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>>>
>>> i got an error from config.h telling me to use the glibc version so i
>>> symlinked /usr/src/linux-2.6.0-1.107 to /usr/include/linux/config.h
>>>
>>> then i compiled successfully and installed using
>>>
>>> make install KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>>>
>>> without incident
>>>
>>> i checked the timestamp on the iptables binary to make sure that it
>>> had been overwritten
>>>
>>> I rmmod'd all the iptables modules and then reloaded my iptables rule
>>>
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>>> --to-port 3128
>>>
>>
>> 	Ummm ... I don't understand where the error came from.... I'm using
> a
>> slackware based box with many upgrades
>> 	(gcc glibc binutils and modutils....) my switch from 2.4.23 to 2.6.0
>
>> required a binutils and modutils
>> 	upgrade FIRST -- I would hope that RPM dependencies are in place to
>> enforce this as it will likely
>> 	apply to your situation ... when I rebuilt iptables source it went
>> painlessly --- no error from config.h.
>>
>> 	I *DONT* like the relink .. I've a feeling this will break some
>> inportant defines....
>> 	
>> 	what do you get for modprobe --version and ld -v ?
>> 	I suspect your modutils is incorrect for 2.6.0
>>
>>> lsmod gives me
>>>
>>> Module                  Size  Used by
>>> ipt_REDIRECT            2048  1
>>> iptable_nat            20140  2 ipt_REDIRECT
>>> ip_tables              15104  2 ipt_REDIRECT,iptable_nat
>>> ip_conntrack           28464  2 ipt_REDIRECT,iptable_nat
>>>
>>> iptables -t nat -L gives me
>>>
>>> Chain PREROUTING (policy ACCEPT)
>>> target     prot opt source               destination
>>> REDIRECT   tcp  --  anywhere             anywhere            tcp
>>> dpt:http redir ports 3128
>>>
>>> Chain POSTROUTING (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>> testing it reveals that it is still not working - did i do anything
>>> wrong in the above steps? what further steps would you recommend to
>>> troubleshoot this problem?
>>>
>>> Peter Schobel
>>> ~
>>
>>
> *****************************
> Peter Schobel
> Network Administrator
> Porchlight.ca
> Unlimited Internet
> *****************************
> In a world without walls or fences
> We will have no need for gates or windows
> *****************************
>
>
>
>
*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

RE: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Mark E. Donaldson]

I haven't been following all of this Peter, but it would seem you now need
to add a rule allow the packets to get through the FORWARD chain now that
they have been successfully REDIRECTED.  Try something like: 

$IPT -t filter -A FORWARD -i eth0 -p tcp --dport 3128 -j ACCEPT

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Peter Schobel
Sent: Friday, January 09, 2004 6:09 PM
To: netfilter@lists.netfilter.org
Subject: Re: Problems with Transparent Proxy using IPTables, Squid and 2.6
kernel

ok, I removed the error line and the cat autoconf line from the config.h and
got iptables 1.2.9 to compile against my kernel source and headers and
reinstalled

if i turn on ip_forward and try to access external sites, i get forwarded
through to the external page without problem

if i enable the iptables rule

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

my pages just time out when i try to access external sites

but if i try to access the proxyhost directly using http, it redirects me to
the proxy site without problem

i get exactly the same results using this rule

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
$LOCALHOST:3128

does anyone have any idea why traffic destined for external sites will not
transparently redirect to squid for me?

does anyone have any idea as to what further steps I can take to
troubleshoot this problem?

Thx in advance,

Peter Schobel

On Thursday, January 8, 2004, at 09:33  PM, Alistair Tonner wrote:

> On January 8, 2004 03:05 pm, Peter Schobel wrote:
>> ok, I downloaded the source ball for iptables 1.2.9, and compiled 
>> using
>>
>> make KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>>
>> i got an error from config.h telling me to use the glibc version so i 
>> symlinked /usr/src/linux-2.6.0-1.107 to /usr/include/linux/config.h
>>
>> then i compiled successfully and installed using
>>
>> make install KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>>
>> without incident
>>
>> i checked the timestamp on the iptables binary to make sure that it 
>> had been overwritten
>>
>> I rmmod'd all the iptables modules and then reloaded my iptables rule
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
>> --to-port 3128
>>
>
> 	Ummm ... I don't understand where the error came from.... I'm using
a 
> slackware based box with many upgrades
> 	(gcc glibc binutils and modutils....) my switch from 2.4.23 to 2.6.0

> required a binutils and modutils
> 	upgrade FIRST -- I would hope that RPM dependencies are in place to 
> enforce this as it will likely
> 	apply to your situation ... when I rebuilt iptables source it went 
> painlessly --- no error from config.h.
>
> 	I *DONT* like the relink .. I've a feeling this will break some 
> inportant defines....
> 	
> 	what do you get for modprobe --version and ld -v ?
> 	I suspect your modutils is incorrect for 2.6.0
>
>> lsmod gives me
>>
>> Module                  Size  Used by
>> ipt_REDIRECT            2048  1
>> iptable_nat            20140  2 ipt_REDIRECT
>> ip_tables              15104  2 ipt_REDIRECT,iptable_nat
>> ip_conntrack           28464  2 ipt_REDIRECT,iptable_nat
>>
>> iptables -t nat -L gives me
>>
>> Chain PREROUTING (policy ACCEPT)
>> target     prot opt source               destination
>> REDIRECT   tcp  --  anywhere             anywhere            tcp
>> dpt:http redir ports 3128
>>
>> Chain POSTROUTING (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> testing it reveals that it is still not working - did i do anything 
>> wrong in the above steps? what further steps would you recommend to 
>> troubleshoot this problem?
>>
>> Peter Schobel
>> ~
>
>
*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Unknown, Alistair Tonner]

On January 9, 2004 09:08 pm, Peter Schobel wrote:
> ok, I removed the error line and the cat autoconf line from the
> config.h and got iptables 1.2.9 to compile against my kernel source and
> headers and reinstalled
>
> if i turn on ip_forward and try to access external sites, i get
> forwarded through to the external page without problem
>
> if i enable the iptables rule
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> my pages just time out when i try to access external sites
>
> but if i try to access the proxyhost directly using http, it redirects
> me to the proxy site without problem
>
> i get exactly the same results using this rule
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
> --to-destination $LOCALHOST:3128
>
> does anyone have any idea why traffic destined for external sites will
> not transparently redirect to squid for me?
>
> does anyone have any idea as to what further steps I can take to
> troubleshoot this problem?
>

	Have you tried LOGging the INPUT chain for both 80 and 3128?
	Or, perhaps more thorough, put a LOG rule in PREROUTING
	before the REDIRECT/DNAT rule to log what you will change,
	and since your destination is local, a LOG rule at the top of INPUT
	to catch *everything* for the interim? -- then see at what point 
	the packets are actually disappearing.
	
	I'm not sure I understand why this should be a problem... 
	FWIW -- when I rebuilt iptables (1.2.9) against kernel 2.6.0 my 
	/usr/include/linux contained the headers from a 2.4.19 kernel .. .and
	this is what my gcc was built against.  I believe that you need to have 
	the /usr/include/linux that existed when gcc was built in there ... but 
	someone who knows more about compilers than I might thump me on the
	skull for that ... I'm *NOT* 100% sure about the interdependencies... 


	Alistair Tonner ... 


	

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

ok, I removed the error line and the cat autoconf line from the 
config.h and got iptables 1.2.9 to compile against my kernel source and 
headers and reinstalled

if i turn on ip_forward and try to access external sites, i get 
forwarded through to the external page without problem

if i enable the iptables rule

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-port 3128

my pages just time out when i try to access external sites

but if i try to access the proxyhost directly using http, it redirects 
me to the proxy site without problem

i get exactly the same results using this rule

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT 
--to-destination $LOCALHOST:3128

does anyone have any idea why traffic destined for external sites will 
not transparently redirect to squid for me?

does anyone have any idea as to what further steps I can take to 
troubleshoot this problem?

Thx in advance,

Peter Schobel

On Thursday, January 8, 2004, at 09:33  PM, Alistair Tonner wrote:

> On January 8, 2004 03:05 pm, Peter Schobel wrote:
>> ok, I downloaded the source ball for iptables 1.2.9, and compiled 
>> using
>>
>> make KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>>
>> i got an error from config.h telling me to use the glibc version so i
>> symlinked /usr/src/linux-2.6.0-1.107 to /usr/include/linux/config.h
>>
>> then i compiled successfully and installed using
>>
>> make install KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>>
>> without incident
>>
>> i checked the timestamp on the iptables binary to make sure that it 
>> had
>> been overwritten
>>
>> I rmmod'd all the iptables modules and then reloaded my iptables rule
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>>
>
> 	Ummm ... I don't understand where the error came from.... I'm using a 
> slackware based box with many upgrades
> 	(gcc glibc binutils and modutils....) my switch from 2.4.23 to 2.6.0 
> required a binutils and modutils
> 	upgrade FIRST -- I would hope that RPM dependencies are in place to 
> enforce this as it will likely
> 	apply to your situation ... when I rebuilt iptables source it went 
> painlessly --- no error from config.h.
>
> 	I *DONT* like the relink .. I've a feeling this will break some 
> inportant defines....
> 	
> 	what do you get for modprobe --version and ld -v ?
> 	I suspect your modutils is incorrect for 2.6.0
>
>> lsmod gives me
>>
>> Module                  Size  Used by
>> ipt_REDIRECT            2048  1
>> iptable_nat            20140  2 ipt_REDIRECT
>> ip_tables              15104  2 ipt_REDIRECT,iptable_nat
>> ip_conntrack           28464  2 ipt_REDIRECT,iptable_nat
>>
>> iptables -t nat -L gives me
>>
>> Chain PREROUTING (policy ACCEPT)
>> target     prot opt source               destination
>> REDIRECT   tcp  --  anywhere             anywhere            tcp
>> dpt:http redir ports 3128
>>
>> Chain POSTROUTING (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> testing it reveals that it is still not working - did i do anything
>> wrong in the above steps? what further steps would you recommend to
>> troubleshoot this problem?
>>
>> Peter Schobel
>> ~
>
>
*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

#error including kernel header in userspace; use the glibc headers 
instead!

On Friday, January 9, 2004, at 09:50  AM, Alistair Tonner wrote:

> On January 8, 2004 10:58 pm, Peter Schobel wrote:
>> On Thursday, January 8, 2004, at 09:33  PM, Alistair Tonner wrote:
>>> what do you get for modprobe --version and ld -v ?
>>> 	I suspect your modutils is incorrect for 2.6.0
>>
>> modprobe --version
>> module-init-tools version 0.9.12
>>
>> ld -v
>> GNU ld version 2.13.90.0.18 20030206
>
> 	Okay .. those are both good --
>
> 	is the error you are getting
> 	"WARNING : dont include kernel headers in userspace"
> 	?
> 	
> 	Alistair
>>
>>
>> *****************************
>> Peter Schobel
>> Network Administrator
>> Porchlight.ca
>> Unlimited Internet
>> *****************************
>> In a world without walls or fences
>> We will have no need for gates or windows
>> *****************************
>
>
*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Unknown, Alistair Tonner]

On January 8, 2004 10:58 pm, Peter Schobel wrote:
> On Thursday, January 8, 2004, at 09:33  PM, Alistair Tonner wrote:
> > what do you get for modprobe --version and ld -v ?
> > 	I suspect your modutils is incorrect for 2.6.0
>
> modprobe --version
> module-init-tools version 0.9.12
>
> ld -v
> GNU ld version 2.13.90.0.18 20030206

	Okay .. those are both good -- 

	is the error you are getting
	"WARNING : dont include kernel headers in userspace"
	?
	
	Alistair
>
>
> *****************************
> Peter Schobel
> Network Administrator
> Porchlight.ca
> Unlimited Internet
> *****************************
> In a world without walls or fences
> We will have no need for gates or windows
> *****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

On Thursday, January 8, 2004, at 09:33  PM, Alistair Tonner wrote:

> what do you get for modprobe --version and ld -v ?
> 	I suspect your modutils is incorrect for 2.6.0

modprobe --version
module-init-tools version 0.9.12

ld -v
GNU ld version 2.13.90.0.18 20030206

>
*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Unknown, Alistair Tonner]

On January 8, 2004 03:05 pm, Peter Schobel wrote:
> ok, I downloaded the source ball for iptables 1.2.9, and compiled using
>
> make KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>
> i got an error from config.h telling me to use the glibc version so i
> symlinked /usr/src/linux-2.6.0-1.107 to /usr/include/linux/config.h
>
> then i compiled successfully and installed using
>
> make install KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>
> without incident
>
> i checked the timestamp on the iptables binary to make sure that it had
> been overwritten
>
> I rmmod'd all the iptables modules and then reloaded my iptables rule
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>

	Ummm ... I don't understand where the error came from.... I'm using a slackware based box with many upgrades
	(gcc glibc binutils and modutils....) my switch from 2.4.23 to 2.6.0 required a binutils and modutils
	upgrade FIRST -- I would hope that RPM dependencies are in place to enforce this as it will likely
	apply to your situation ... when I rebuilt iptables source it went painlessly --- no error from config.h.

	I *DONT* like the relink .. I've a feeling this will break some inportant defines....
	
	what do you get for modprobe --version and ld -v ?
	I suspect your modutils is incorrect for 2.6.0

> lsmod gives me
>
> Module                  Size  Used by
> ipt_REDIRECT            2048  1
> iptable_nat            20140  2 ipt_REDIRECT
> ip_tables              15104  2 ipt_REDIRECT,iptable_nat
> ip_conntrack           28464  2 ipt_REDIRECT,iptable_nat
>
> iptables -t nat -L gives me
>
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> REDIRECT   tcp  --  anywhere             anywhere            tcp
> dpt:http redir ports 3128
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> testing it reveals that it is still not working - did i do anything
> wrong in the above steps? what further steps would you recommend to
> troubleshoot this problem?
>
> Peter Schobel
> ~

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

Thanks - that's encouraging

now i just have to figure out what's going wrong

Pete
~

On Thursday, January 8, 2004, at 04:45  PM, Sven Schuster wrote:

>
> Hello Peter,
>
> unfortunately I can't really help solving this problem, but at least
> I can tell that redirect and transparent proxying _should_ work on
> a 2.6.0 system cause I've been using it at home since 2.6.0 came out
> and even at -test stage I had no problems. My box is a RH 9 system
> with iptables 1.2.8.
>
> Sorry to have no more help for you... :(
>
> Sven
>
> -- 
> Linux zion 2.6.1-rc2 #2 Wed Jan 07 13:42:49 CET 2004 i686 athlon i386 
> GNU/Linux
>  22:40:27  up 1 day,  3:45,  2 users,  load average: 0.09, 0.05, 0.01
> <mime-attachment>

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

On Thursday, January 8, 2004, at 04:07  PM, Antony Stone wrote:

> On Thursday 08 January 2004 8:05 pm, Peter Schobel wrote:
>
>> ok, I downloaded the source ball for iptables 1.2.9, and compiled 
>> using
>>
>> make KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>>
>> i got an error from config.h telling me to use the glibc version so i
>> symlinked /usr/src/linux-2.6.0-1.107 to /usr/include/linux/config.h
>
> I'm not sure I like the implications of this - what version of the 
> kernel
> headers do you have in /usr/include/linux?

I'm using the kernel-source rpm package that matches my kernel package

kernel-source-2.6.0-1.107

this is what my original config.h file looks like

#ifndef _LINUX_CONFIG_H
#define _LINUX_CONFIG_H

#include <linux/autoconf.h>
#ifndef __KERNEL__
#error including kernel header in userspace; use the glibc headers 
instead!
#endif
#endif

*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 527 bytes --]


Hello Peter,

unfortunately I can't really help solving this problem, but at least
I can tell that redirect and transparent proxying _should_ work on
a 2.6.0 system cause I've been using it at home since 2.6.0 came out
and even at -test stage I had no problems. My box is a RH 9 system
with iptables 1.2.8.

Sorry to have no more help for you... :(

Sven

-- 
Linux zion 2.6.1-rc2 #2 Wed Jan 07 13:42:49 CET 2004 i686 athlon i386 GNU/Linux
 22:40:27  up 1 day,  3:45,  2 users,  load average: 0.09, 0.05, 0.01

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Antony Stone]

On Thursday 08 January 2004 8:05 pm, Peter Schobel wrote:

> ok, I downloaded the source ball for iptables 1.2.9, and compiled using
>
> make KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>
> i got an error from config.h telling me to use the glibc version so i
> symlinked /usr/src/linux-2.6.0-1.107 to /usr/include/linux/config.h

I'm not sure I like the implications of this - what version of the kernel 
headers do you have in /usr/include/linux?

> then i compiled successfully and installed using
>
> make install KERNEL_DIR=/usr/src/linux-2.6.0-1.107
>
> without incident

> testing it reveals that it is still not working - did i do anything
> wrong in the above steps? what further steps would you recommend to
> troubleshoot this problem?

Hm.   I'm not sure I can help further with this, but I know there are other 
people on this list (Alistair?) who have been through this process and may be 
able to offer more help than I can.

Regards,

Antony.

-- 
What is this talk of "software release"?
Our software evolves and matures until it is capable of escape, leaving a 
bloody trail of designers and quality assurance people in its wake.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

ok, I downloaded the source ball for iptables 1.2.9, and compiled using

make KERNEL_DIR=/usr/src/linux-2.6.0-1.107

i got an error from config.h telling me to use the glibc version so i 
symlinked /usr/src/linux-2.6.0-1.107 to /usr/include/linux/config.h

then i compiled successfully and installed using

make install KERNEL_DIR=/usr/src/linux-2.6.0-1.107

without incident

i checked the timestamp on the iptables binary to make sure that it had 
been overwritten

I rmmod'd all the iptables modules and then reloaded my iptables rule

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-port 3128

lsmod gives me

Module                  Size  Used by
ipt_REDIRECT            2048  1
iptable_nat            20140  2 ipt_REDIRECT
ip_tables              15104  2 ipt_REDIRECT,iptable_nat
ip_conntrack           28464  2 ipt_REDIRECT,iptable_nat

iptables -t nat -L gives me

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp 
dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

testing it reveals that it is still not working - did i do anything 
wrong in the above steps? what further steps would you recommend to 
troubleshoot this problem?

Peter Schobel
~

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Antony Stone]

On Thursday 08 January 2004 6:28 pm, Peter Schobel wrote:

> Dec 24, 2003: patch-o-matic 20031219 (for kernel >= 2.4.18, including
> 2.4.23)
> Please note that this release still does not yet support the
> just-released 2.6.0 kernel.
> Expect a so-called 'patch-o-matic-ng' release for 2.6.x support in the
> next couple of weeks.
>
> Does this mean that iptables will not work with 2.6 kernel? This seems
> unlikely to me - I think i'm understanding it incorrectly - please
> clarify

You are correct - it does not mean that iptables won't work with kernel 2.6.

It simply means that this version of patch-o-matic will not work with kernel 
2.6 (which is understandable, considering that p-o-m patches the kernel...)

Antony.

-- 
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

Dec 24, 2003: patch-o-matic 20031219 (for kernel >= 2.4.18, including 
2.4.23)
Please note that this release still does not yet support the 
just-released 2.6.0 kernel.
Expect a so-called 'patch-o-matic-ng' release for 2.6.x support in the 
next couple of weeks.

Does this mean that iptables will not work with 2.6 kernel? This seems 
unlikely to me - I think i'm understanding it incorrectly - please 
clarify

Peter Schobel
~

On Thursday, January 8, 2004, at 12:35  PM, Antony Stone wrote:

> On Thursday 08 January 2004 5:28 pm, Peter Schobel wrote:
>
>> On Thursday, January 8, 2004, at 12:02  PM, Antony Stone wrote:
>>> On Thursday 08 January 2004 4:56 pm, Peter Schobel wrote:
>>>> I have a server that was running a transparent redirection proxy - i
>>>> was using 2.4.20 kernel on this system and i recently upgraded to
>>>> 2.6.0.107 kernel package for redhat 9
>>>>
>>>> Ever since i did the kernel upgrade the proxy does not work 
>>>> correctly.
>>>
>>> Have you recompiled the userspace iptables to match the new 
>>> kernelspace
>>> netfilter?
>>
>> No, I hadn't considered this. - I am using an rpm package
>> iptables-1.2.7a-2 - do you think this could be the problem?
>
> Yes, I do.   The kernelspace netfilter and the userspace iptables must 
> match
> in order for the two to work together.
>
>>> Does Squid seem to work correctly as a proxy if you configure your
>>> client
>>> browser to use it specifically, rather than doing it transparently?
>>
>> yes it works perfectly on port 80 as well as on port 3128 so the
>> redirection seems to be working - but the transparency does not
>
> That quite satisfactorily demonstrates that networking and Squid are 
> not the
> problem then, so it's definitely netfilter/iptables.
>
> Just recompile iptables with your new kernel (and its associated 
> header files)
> installed, and you should be back to normal.
>
> Antony.
>
> -- 
> The idea that Bill Gates appeared like a knight in shining armour to 
> lead all
> customers out of a mire of technological chaos neatly ignores the fact 
> that
> it was he who, by peddling second-rate technology, led them into it in 
> the
> first place.
>
>  - Douglas Adams in The Guardian, 25th August 1995
>
>                                                      Please reply to 
> the list;
>                                                            please 
> don't CC me.
>
>
>
*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Antony Stone]

On Thursday 08 January 2004 5:28 pm, Peter Schobel wrote:

> On Thursday, January 8, 2004, at 12:02  PM, Antony Stone wrote:
> > On Thursday 08 January 2004 4:56 pm, Peter Schobel wrote:
> >> I have a server that was running a transparent redirection proxy - i
> >> was using 2.4.20 kernel on this system and i recently upgraded to
> >> 2.6.0.107 kernel package for redhat 9
> >>
> >> Ever since i did the kernel upgrade the proxy does not work correctly.
> >
> > Have you recompiled the userspace iptables to match the new kernelspace
> > netfilter?
>
> No, I hadn't considered this. - I am using an rpm package
> iptables-1.2.7a-2 - do you think this could be the problem?

Yes, I do.   The kernelspace netfilter and the userspace iptables must match 
in order for the two to work together.

> > Does Squid seem to work correctly as a proxy if you configure your
> > client
> > browser to use it specifically, rather than doing it transparently?
>
> yes it works perfectly on port 80 as well as on port 3128 so the
> redirection seems to be working - but the transparency does not

That quite satisfactorily demonstrates that networking and Squid are not the 
problem then, so it's definitely netfilter/iptables.

Just recompile iptables with your new kernel (and its associated header files) 
installed, and you should be back to normal.

Antony.

-- 
The idea that Bill Gates appeared like a knight in shining armour to lead all 
customers out of a mire of technological chaos neatly ignores the fact that 
it was he who, by peddling second-rate technology, led them into it in the 
first place.

 - Douglas Adams in The Guardian, 25th August 1995

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

On Thursday, January 8, 2004, at 12:02  PM, Antony Stone wrote:

> On Thursday 08 January 2004 4:56 pm, Peter Schobel wrote:
>
>> I have a server that was running a transparent redirection proxy - i
>> was using 2.4.20 kernel on this system and i recently upgraded to
>> 2.6.0.107 kernel package for redhat 9
>>
>> Ever since i did the kernel upgrade the proxy does not work correctly.
>
> Have you recompiled the userspace iptables to match the new kernelspace
> netfilter?

No, I hadn't considered this. - I am using an rpm package 
iptables-1.2.7a-2 - do you think this could be the problem?

>
> Does Squid seem to work correctly as a proxy if you configure your 
> client
> browser to use it specifically, rather than doing it transparently?
>

yes it works perfectly on port 80 as well as on port 3128 so the 
redirection seems to be working - but the transparency does not

Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

Re: Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Antony Stone]

On Thursday 08 January 2004 4:56 pm, Peter Schobel wrote:

> I have a server that was running a transparent redirection proxy - i
> was using 2.4.20 kernel on this system and i recently upgraded to
> 2.6.0.107 kernel package for redhat 9
>
> Ever since i did the kernel upgrade the proxy does not work correctly.

Have you recompiled the userspace iptables to match the new kernelspace 
netfilter?

Does Squid seem to work correctly as a proxy if you configure your client 
browser to use it specifically, rather than doing it transparently?

Antony.

-- 
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

                                                     Please reply to the list;
                                                           please don't CC me.

Problems with Transparent Proxy using IPTables, Squid and 2.6 kernel

[Peter Schobel]

I have a server that was running a transparent redirection proxy - i 
was using 2.4.20 kernel on this system and i recently upgraded to 
2.6.0.107 kernel package for redhat 9

Ever since i did the kernel upgrade the proxy does not work correctly.

As far as I know, the kernel is configured properly

lsmod shows these iptables modules

Module                  Size  Used by
ipt_REDIRECT            2048  0
iptable_nat            20140  1 ipt_REDIRECT
ip_conntrack           28464  2 ipt_REDIRECT,iptable_nat
iptable_filter          2688  0
ip_tables              15104  3 ipt_REDIRECT,iptable_nat,iptable_filter

my INPUT, FORWARD and OUTPUT policies are all set to accept

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I am using this iptables rule

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-port 3128

my nat table looks like this

iptables -t nat --list

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere           tcp 
dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ip forwarding is enabled

cat /proc/sys/net/ipv4/ip_forward
1

squid is running on 3128 - the squid config looks like this

acl all src 0/0

visible_hostname proxyhost.porchlight.ca

http_port 3128

no_cache deny all

redirect_program /usr/local/bin/redirector.pl
redirect_children 5
redirect_rewrites_host_header on
redirector_access allow all

http_access allow all
http_reply_access allow all

httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

This configuration has not changed since before the kernel upgrade 
except that there were a couple of rules preventing proxy access to the 
outside world which I removed in order to make things as simple as 
possible for debugging purposes

I can see by running snort that the packets destined for the remote 
host are arriving on the interface

I can see using "iptables -t nat --list -v -n" that the number of 
packets on the REDIRECT rule gets incremented by 1 each time I try to 
access a remote site - but the browser just times out waiting for a 
reply and the squid access.log does not record the access

If i type http://proxyhost.porchlight.ca into the address bar of the 
browser, the port redirect works perfectly and squid redirects the 
traffic to the proxied site without problem - it is only when I attempt 
to access remote sites that the redirection does not work.  As I 
mentioned before - this was all working and tested previous to the 
kernel upgrade.

I've been struggling with this for a couple days now.  Does anyone have 
any idea why this configuration is not working?

Thx in advance,


*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************