Problem with Transparent Proxy, Squid and 2.6 kernel

Problem with Transparent Proxy, Squid and 2.6 kernel

[Peter Schobel]

I have a server that was running a transparent redirection proxy - i 
was using 2.4.20 kernel on this system and i recently upgraded to 
2.6.0.107 kernel package for redhat 9

Ever since i did the kernel upgrade the proxy does not work correctly.

As far as I know, the kernel is configured properly

lsmod shows these iptables modules

Module                  Size  Used by
ipt_REDIRECT            2048  0
iptable_nat            20140  1 ipt_REDIRECT
ip_conntrack           28464  2 ipt_REDIRECT,iptable_nat
iptable_filter          2688  0
ip_tables              15104  3 ipt_REDIRECT,iptable_nat,iptable_filter

my INPUT, FORWARD and OUTPUT policies are all set to accept

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I am using this iptables rule

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-port 3128

my nat table looks like this

iptables -t nat --list

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere           tcp 
dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ip forwarding is enabled

cat /proc/sys/net/ipv4/ip_forward
1

squid is running on 3128 - the squid config looks like this

acl all src 0/0

visible_hostname proxyhost.porchlight.ca

http_port 3128

no_cache deny all

redirect_program /usr/local/bin/redirector.pl
redirect_children 5
redirect_rewrites_host_header on
redirector_access allow all

http_access allow all
http_reply_access allow all

httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

This configuration has not changed since before the kernel upgrade 
except that there were a couple of rules preventing proxy access to the 
outside world which I removed in order to make things as simple as 
possible for debugging purposes

I can see by running snort that the packets destined for the remote 
host are arriving on the interface

I can see using "iptables -t nat --list -v -n" that the number of 
packets on the REDIRECT rule gets incremented by 1 each time I try to 
access a remote site - but the browser just times out waiting for a 
reply and the squid access.log does not record the access

If i type http://proxyhost.porchlight.ca into the address bar of the 
browser, the port redirect works perfectly and squid redirects the 
traffic to the proxied site without problem - it is only when I attempt 
to access remote sites that the redirection does not work.  As I 
mentioned before - this was all working and tested previous to the 
kernel upgrade.

I've been struggling with this for a couple days now.  Does anyone have 
any idea why this configuration is not working?

Thx in advance,

*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************

Re: Problem with Transparent Proxy, Squid and 2.6 kernel

[Ray Leach]

On Wed, 2004-01-07 at 19:44, Peter Schobel wrote:
> I have a server that was running a transparent redirection proxy - i 
> was using 2.4.20 kernel on this system and i recently upgraded to 
> 2.6.0.107 kernel package for redhat 9
> 
> Ever since i did the kernel upgrade the proxy does not work correctly.
> 
> As far as I know, the kernel is configured properly
> 
> lsmod shows these iptables modules
> 
> Module                  Size  Used by
> ipt_REDIRECT            2048  0
> iptable_nat            20140  1 ipt_REDIRECT
> ip_conntrack           28464  2 ipt_REDIRECT,iptable_nat
> iptable_filter          2688  0
> ip_tables              15104  3 ipt_REDIRECT,iptable_nat,iptable_filter
> 
> my INPUT, FORWARD and OUTPUT policies are all set to accept
> 
> iptables -L
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> I am using this iptables rule
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
> --to-port 3128
> 
> my nat table looks like this
> 
> iptables -t nat --list
> 
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> REDIRECT   tcp  --  anywhere             anywhere           tcp 
> dpt:http redir ports 3128
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> ip forwarding is enabled
> 
> cat /proc/sys/net/ipv4/ip_forward
> 1
> 
> squid is running on 3128 - the squid config looks like this
> 
> acl all src 0/0
> 
> visible_hostname proxyhost.porchlight.ca
> 
> http_port 3128
> 
> no_cache deny all
> 
> redirect_program /usr/local/bin/redirector.pl
> redirect_children 5
> redirect_rewrites_host_header on
> redirector_access allow all
> 
> http_access allow all
> http_reply_access allow all
> 
> httpd_accel_port 80
> httpd_accel_host virtual
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> 
> This configuration has not changed since before the kernel upgrade 
> except that there were a couple of rules preventing proxy access to the 
> outside world which I removed in order to make things as simple as 
> possible for debugging purposes
> 
> I can see by running snort that the packets destined for the remote 
> host are arriving on the interface
> 
> I can see using "iptables -t nat --list -v -n" that the number of 
> packets on the REDIRECT rule gets incremented by 1 each time I try to 
> access a remote site - but the browser just times out waiting for a 
> reply and the squid access.log does not record the access
> 
> If i type http://proxyhost.porchlight.ca into the address bar of the 
> browser, the port redirect works perfectly and squid redirects the 
> traffic to the proxied site without problem - it is only when I attempt 
> to access remote sites that the redirection does not work.  As I 
> mentioned before - this was all working and tested previous to the 
> kernel upgrade.
> 
> I've been struggling with this for a couple days now.  Does anyone have 
> any idea why this configuration is not working?
> 
> Thx in advance,
> 
> *****************************
> Peter Schobel
> Network Administrator
> Porchlight.ca
> Unlimited Internet
> *****************************
> In a world without walls or fences
> We will have no need for gates or windows
> *****************************
> 
> 
What version of iptables are you using?

I use iptables v1.2.8 with the 2.6.0 kernel on SuSE and it works fine,

Re: Problem with Transparent Proxy, Squid and 2.6 kernel

[Peter Schobel]

On Thursday, January 8, 2004, at 11:47  PM, Ray Leach wrote:
> What version of iptables are you using?
>
> I use iptables v1.2.8 with the 2.6.0 kernel on SuSE and it works fine,
>
>
>
>
well I was using iptables 1.2.7a rpm package but once i found out that 
it needed to be compiled against 2.6 kernel I downloaded the source for 
1.2.9 and compiled it - I think today I will try 1.2.8 as you are the 
second person who said it is working for you.


*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************