Quantcast

Squid on separate box and it can't see packets

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid on separate box and it can't see packets

John Pearson
Hi all,
I have squid on a separate box on my network with ip address 192.168.1.2

In squid.conf I have:

http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 intercept

-------

On squid box:

$ sudo netstat -lnp | grep squid
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN      2639/(squid-1)
tcp        0      0 0.0.0.0:3129            0.0.0.0:*               LISTEN      2639/(squid-1)
udp        0      0 0.0.0.0:37444           0.0.0.0:*                           2639/(squid-1)
udp6       0      0 :::41465                :::*                                2639/(squid-1)

-------


iptables:

# your proxy IP
SQUIDIP=192.168.1.2

# your proxy listening port
SQUIDPORT=3129


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

------

I am redirecting port 80 packets on my router to squid box

On one of the clients: 192.168.1.8, I am running
wget -v --bind-address=192.168.1.8 http://squid-cache.org:80

On squid box, I am running tcpdump and I am able to see those packets:

22:09:58.962316 IP 192.168.1.8.52219 > lists.squid-cache.org.http: Flags [S], seq 1999822717, win 29200, options [mss 1460,sackOK,TS val 26932460 ecr 0,nop,wscale 7], length 0
22:09:59.958994 IP 192.168.1.8.52219 > lists.squid-cache.org.http: Flags [S], seq 1999822717, win 29200, options [mss 1460,sackOK,TS val 26932560 ecr 0,nop,wscale 7], length 0
22:10:01.958981 IP 192.168.1.8.52219 > lists.squid-cache.org.http: Flags [S], seq 1999822717, win 29200, options [mss 1460,sackOK,TS val 26932760 ecr 0,nop,wscale 7], length 0

But squid is not seeing them. Squid log is empty.

Need advice. Thanks!

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid on separate box and it can't see packets

Eliezer Croitoru
Hey,

There are couple missing pieces(in my eyes) in order to understand the picture.
Is this squid box a router or just a proxy?
What tcpdump command did you ran?
What is the networks that are involved?
What is the gateway and dhcp for this network?
If the client is a linux box then we need the output of:
$ ifconfig
$ route -n
Or
$ ip route

Thanks,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of John Pearson
Sent: Tuesday, February 14, 2017 8:25 AM
To: Squid Users <[hidden email]>
Subject: [squid-users] Squid on separate box and it can't see packets

Hi all,
I have squid on a separate box on my network with ip address 192.168.1.2

In squid.conf I have:

http_port http://0.0.0.0:3128
http_port http://0.0.0.0:3129 intercept

-------

On squid box:

$ sudo netstat -lnp | grep squid
tcp        0      0 http://0.0.0.0:3128            0.0.0.0:*               LISTEN      2639/(squid-1)
tcp        0      0 http://0.0.0.0:3129            0.0.0.0:*               LISTEN      2639/(squid-1)
udp        0      0 http://0.0.0.0:37444           0.0.0.0:*                           2639/(squid-1)
udp6       0      0 :::41465                :::*                                2639/(squid-1)

-------

I followed this example: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

iptables:

# your proxy IP
SQUIDIP=192.168.1.2

# your proxy listening port
SQUIDPORT=3129


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

------

I am redirecting port 80 packets on my router to squid box

On one of the clients: 192.168.1.8, I am running
wget -v --bind-address=192.168.1.8 http://squid-cache.org:80

On squid box, I am running tcpdump and I am able to see those packets:

22:09:58.962316 IP 192.168.1.8.52219 > lists.squid-cache.org.http: Flags [S], seq 1999822717, win 29200, options [mss 1460,sackOK,TS val 26932460 ecr 0,nop,wscale 7], length 0
22:09:59.958994 IP 192.168.1.8.52219 > lists.squid-cache.org.http: Flags [S], seq 1999822717, win 29200, options [mss 1460,sackOK,TS val 26932560 ecr 0,nop,wscale 7], length 0
22:10:01.958981 IP 192.168.1.8.52219 > lists.squid-cache.org.http: Flags [S], seq 1999822717, win 29200, options [mss 1460,sackOK,TS val 26932760 ecr 0,nop,wscale 7], length 0

But squid is not seeing them. Squid log is empty.

Need advice. Thanks!

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid on separate box and it can't see packets

John Pearson
Hi,

Is this squid box a router or just a proxy?
- just a proxy

What tcpdump command did you ran?
- sudo tcpdump -i eth0

What is the networks that are involved?
Setup:
Client        (192.168.1.8) --->  |     Rotuer        |
                                               | gateway/dhcp | ---> Internet
Squid box (192.168.1.2) --->  |  192.168.1.1   |

Here Client (debian), squid (debian) and router are three separate devices.

What is the gateway and dhcp for this network?
- Router is both gateway and dhcp server

If the client is a linux box then we need the output of:

ifconfig:
eth0   Link encap:Ethernet  HWaddr b8:27:eb:91:83:20
          inet addr:192.168.1.8  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::6236:7570:1f1e:d238/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3214 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8985 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:478898 (467.6 KiB)  TX bytes:2308050 (2.2 MiB)


ip route:
default via 192.168.1.1 dev eth0
169.254.0.0/16 dev eth0  proto kernel  scope link  src 169.254.219.186  metric 202

On Mon, Feb 13, 2017 at 10:44 PM, Eliezer Croitoru <[hidden email]> wrote:
Hey,

There are couple missing pieces(in my eyes) in order to understand the picture.
Is this squid box a router or just a proxy?
What tcpdump command did you ran?
What is the networks that are involved?
What is the gateway and dhcp for this network?
If the client is a linux box then we need the output of:
$ ifconfig
$ route -n
Or
$ ip route

Thanks,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: <a href="tel:%2B972-5-28704261" value="+972528704261">+972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of John Pearson
Sent: Tuesday, February 14, 2017 8:25 AM
To: Squid Users <[hidden email]>
Subject: [squid-users] Squid on separate box and it can't see packets

Hi all,
I have squid on a separate box on my network with ip address 192.168.1.2

In squid.conf I have:

http_port http://0.0.0.0:3128
http_port http://0.0.0.0:3129 intercept

-------

On squid box:

$ sudo netstat -lnp | grep squid
tcp        0      0 http://0.0.0.0:3128            0.0.0.0:*               LISTEN      2639/(squid-1)
tcp        0      0 http://0.0.0.0:3129            0.0.0.0:*               LISTEN      2639/(squid-1)
udp        0      0 http://0.0.0.0:37444           0.0.0.0:*                           2639/(squid-1)
udp6       0      0 :::41465                :::*                                2639/(squid-1)

-------

I followed this example: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

iptables:

# your proxy IP
SQUIDIP=192.168.1.2

# your proxy listening port
SQUIDPORT=3129


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

------

I am redirecting port 80 packets on my router to squid box

On one of the clients: 192.168.1.8, I am running
wget -v --bind-address=192.168.1.8 http://squid-cache.org:80

On squid box, I am running tcpdump and I am able to see those packets:

22:09:58.962316 IP 192.168.1.8.52219 > lists.squid-cache.org.http: Flags [S], seq 1999822717, win 29200, options [mss 1460,sackOK,TS val 26932460 ecr 0,nop,wscale 7], length 0
22:09:59.958994 IP 192.168.1.8.52219 > lists.squid-cache.org.http: Flags [S], seq 1999822717, win 29200, options [mss 1460,sackOK,TS val 26932560 ecr 0,nop,wscale 7], length 0
22:10:01.958981 IP 192.168.1.8.52219 > lists.squid-cache.org.http: Flags [S], seq 1999822717, win 29200, options [mss 1460,sackOK,TS val 26932760 ecr 0,nop,wscale 7], length 0

But squid is not seeing them. Squid log is empty.

Need advice. Thanks!



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid on separate box and it can't see packets

Amos Jeffries
Administrator
On 15/02/2017 9:18 a.m., John Pearson wrote:
> Hi,
>
> Is this squid box a router or just a proxy?
> - just a proxy

There is the first problem.

NAT interception needs the machine Squid is running on to be configured
to operate as a router. It will be receiving packets destined to a
machine other than itself.

>
> What tcpdump command did you ran?
> - sudo tcpdump -i eth0
>
> What is the networks that are involved?
> Setup:
>
>> Client        (192.168.1.8) --->  |     Rotuer        |
>>                                                | gateway/dhcp | --->
>> Internet
>> Squid box (192.168.1.2) --->  |  192.168.1.1   |
>
>
> Here Client (debian), squid (debian) and router are three separate devices.
>

So the Squid machine;

requires this bit you did:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>

PLUS the system TCP stack controls to turn it from a origin-server host
to a routing host. Otherwise the machine will silently drop packets not
destined to itself.


The router machine requires this:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#When_Squid_is_Internal_amongst_clients>

The router machine probably also needs the "Routing Setup":
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#Routing_Setup>

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid on separate box and it can't see packets

Eliezer Croitoru
And just wanted to add a note that some Linux machines will act as an HUB\BRIDGE by default in a similar scenario(will not drop packets..).
I noticed it while working on some tiny lab and it's better to have the linux machine with ipv4_forward turned on with an iptables DROP rule rather then without(with some distros and some specific kernels).

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Friday, February 17, 2017 3:59 PM
To: [hidden email]
Subject: Re: [squid-users] Squid on separate box and it can't see packets

On 15/02/2017 9:18 a.m., John Pearson wrote:
> Hi,
>
> Is this squid box a router or just a proxy?
> - just a proxy

There is the first problem.

NAT interception needs the machine Squid is running on to be configured
to operate as a router. It will be receiving packets destined to a
machine other than itself.

>
> What tcpdump command did you ran?
> - sudo tcpdump -i eth0
>
> What is the networks that are involved?
> Setup:
>
>> Client        (192.168.1.8) --->  |     Rotuer        |
>>                                                | gateway/dhcp | --->
>> Internet
>> Squid box (192.168.1.2) --->  |  192.168.1.1   |
>
>
> Here Client (debian), squid (debian) and router are three separate devices.
>

So the Squid machine;

requires this bit you did:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>

PLUS the system TCP stack controls to turn it from a origin-server host
to a routing host. Otherwise the machine will silently drop packets not
destined to itself.


The router machine requires this:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#When_Squid_is_Internal_amongst_clients>

The router machine probably also needs the "Routing Setup":
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#Routing_Setup>

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid on separate box and it can't see packets

Amos Jeffries
Administrator
On 21/02/2017 10:25 a.m., Eliezer  Croitoru wrote:
> And just wanted to add a note that some Linux machines will act as an
> HUB\BRIDGE by default in a similar scenario(will not drop
> packets..). I noticed it while working on some tiny lab and it's
> better to have the linux machine with ipv4_forward turned on with an
> iptables DROP rule rather then without(with some distros and some
> specific kernels).

Nod.

If the machine is working as a true bridge then the packets will not be
going to Squid. It still needs the routing rules to route the packets
from its bridge interface to Squid, and from Squid to its bridge
outerface. Or for that matter to pass them from the bridge
inter/outerfaces and the NAT system.

Amos



>
> Eliezer
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
> Sent: Friday, February 17, 2017 3:59 PM
> To: [hidden email]
> Subject: Re: [squid-users] Squid on separate box and it can't see packets
>
> On 15/02/2017 9:18 a.m., John Pearson wrote:
>> Hi,
>>
>> Is this squid box a router or just a proxy?
>> - just a proxy
>
> There is the first problem.
>
> NAT interception needs the machine Squid is running on to be configured
> to operate as a router. It will be receiving packets destined to a
> machine other than itself.
>
>>
>> What tcpdump command did you ran?
>> - sudo tcpdump -i eth0
>>
>> What is the networks that are involved?
>> Setup:
>>
>>> Client        (192.168.1.8) --->  |     Rotuer        |
>>>                                                | gateway/dhcp | --->
>>> Internet
>>> Squid box (192.168.1.2) --->  |  192.168.1.1   |
>>
>>
>> Here Client (debian), squid (debian) and router are three separate devices.
>>
>
> So the Squid machine;
>
> requires this bit you did:
>  <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
>
> PLUS the system TCP stack controls to turn it from a origin-server host
> to a routing host. Otherwise the machine will silently drop packets not
> destined to itself.
>
>
> The router machine requires this:
>  <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#When_Squid_is_Internal_amongst_clients>
>
> The router machine probably also needs the "Routing Setup":
>  <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute#Routing_Setup>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...