>
> I can say for sure this is the issue. First of all I can make this work
with
> two Ubuntu VMs under the same LAN which allowed me to compare the
difference.
>
> Eliezer's observation is correct. On my VMs traffic goes through the
gateway
> (ie: the router) before going to the remote box.
WorkingMan yahoo.com> writes:
>
> Eliezer Croitoru ngtech.co.il> writes:
>
> >
> > Hey there,
> >
> > Man you need to understand something.
> > Your basic routing doesn't help in any way.
> > In your case you should have a network which is a simple thing...
> > I do not rembebr the machine s
WorkingMan yahoo.com> writes:
>
> Eliezer Croitoru ngtech.co.il> writes:
>
> >
> > Hey there,
> >
> > Man you need to understand something.
> > Your basic routing doesn't help in any way.
> > In your case you should have a network which is a simple thing...
> > I do not rembebr the machine s
Eliezer Croitoru ngtech.co.il> writes:
>
> Hey there,
>
> Man you need to understand something.
> Your basic routing doesn't help in any way.
> In your case you should have a network which is a simple thing...
> I do not rembebr the machine settings but once you have a strickt
> "default via I
Hey there,
Man you need to understand something.
Your basic routing doesn't help in any way.
In your case you should have a network which is a simple thing...
I do not rembebr the machine settings but once you have a strickt
"default via IP"
the packets should flow throw this host.
try to make
Amos Jeffries treenet.co.nz> writes:
>
> On 2/11/2013 9:17 p.m., WorkingMan wrote:
> >> One hint I had was that the traffic are not marked correctly.
> >>
> >> This line if added (I got it from somewhere online) will change the mac
> > address
> >> of
> >> the web site to be the one of SQUID:
>
On 2/11/2013 9:46 p.m., WorkingMan wrote:
I have confidence that we can get to the bottom of this with this level
of
details.
I am currently stuck at this step:
VPN Server - > Web Site (SQUID's mac)
This was also where I was stuck before. At this point I am simply
issuing a
curl
www.cnn.com
On 2/11/2013 9:17 p.m., WorkingMan wrote:
One hint I had was that the traffic are not marked correctly.
This line if added (I got it from somewhere online) will change the mac
address
of
the web site to be the one of SQUID:
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-
> >
> > I have confidence that we can get to the bottom of this with this level
of
> > details.
> > I am currently stuck at this step:
> >
> > VPN Server - > Web Site (SQUID's mac)
> >
> > This was also where I was stuck before. At this point I am simply
issuing a
> > curl
> > www.cnn.com from VP
> One hint I had was that the traffic are not marked correctly.
>
> This line if added (I got it from somewhere online) will change the mac
address
> of
> the web site to be the one of SQUID:
>
> iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark
2
>
> With that rule:
On 2/11/2013 7:24 p.m., WorkingMan wrote:
There is a very specific order of packet flow required to get these
things working. And an equally specific order of configuration and
testing needed to ensure that it is all working.
I have taken the liberty of re-arranging the details you posted
> There is a very specific order of packet flow required to get these
> things working. And an equally specific order of configuration and
> testing needed to ensure that it is all working.
>
> I have taken the liberty of re-arranging the details you posted to
> follow the order of configur
On 2/11/2013 9:42 a.m., WorkingMan wrote:
Eliezer Croitoru ngtech.co.il> writes:
On 11/01/2013 10:30 AM, WorkingMan wrote:
I am not using TPROXY. VPN/SQUID are two different servers.
OK now you mangled everything!!
try to start from scratch which means design.
Put the VPN on the same squid s
Eliezer Croitoru ngtech.co.il> writes:
>
> On 11/01/2013 10:30 AM, WorkingMan wrote:
> > I am not using TPROXY. VPN/SQUID are two different servers.
> OK now you mangled everything!!
> try to start from scratch which means design.
> Put the VPN on the same squid server or retry to design the net
On 11/01/2013 10:30 AM, WorkingMan wrote:
I am not using TPROXY. VPN/SQUID are two different servers.
OK now you mangled everything!!
try to start from scratch which means design.
Put the VPN on the same squid server or retry to design the network in a
way it will work.
Once you will prepare th
Eliezer Croitoru ngtech.co.il> writes:
>
> Just to make sure I understood:
> How many boxes do you have?
> what is VPN and what is SQUID?
> You do understand that there is no way to run TPROXY on amaozn safely??
> So leave TPROXY out of sight for now.
>
> If you have two machines it's another s
Just to make sure I understood:
How many boxes do you have?
what is VPN and what is SQUID?
You do understand that there is no way to run TPROXY on amaozn safely??
So leave TPROXY out of sight for now.
If you have two machines it's another story.
if you do have one machine then what is the:
"ip ro
> I am suspecting something is going on but I am just not seen it in the
logs.
> tshark is not catching anything either by host or port 3130 on either
> VPN/SQUID. Does the TPROXY way work for SQUID on a remote server because I
> was going to try that next?
>
> ping, dns lookup all seems norm
Eliezer Croitoru ngtech.co.il> writes:
>
> Hey,
>
> On 10/31/2013 09:58 AM, WorkingMan wrote:
> > iptables -t nat -A POSTROUTING -j MASQUERADE
>
> try to flush all the iptables rules by:
> iptables -t nat -F
> iptables -t filter -F
> iptables -t mangle -F
>
> then add the next:
> iptables -t
Hey,
On 10/31/2013 09:58 AM, WorkingMan wrote:
iptables -t nat -A POSTROUTING -j MASQUERADE
try to flush all the iptables rules by:
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F
then add the next:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sysctl -w net.ipv4.ip_forw
> Some questions that might lead you in a useful direction for solving this:
> * is eth0 the right interface to be operating with?
>does VPN have an interface of its own with better results?
>is there something special you have to add on top of all this to make
> it work over a VPN connect
On 31/10/2013 7:38 a.m., WorkingMan wrote:
I hope I can refocus this question to the real problem.
I am currently have a working VPN setup but once I add my policy routing
rules it breaks the client's port 80 connection (everything else still good,
apps still work. I don't any traffic going to m
I hope I can refocus this question to the real problem.
I am currently have a working VPN setup but once I add my policy routing
rules it breaks the client's port 80 connection (everything else still good,
apps still work. I don't any traffic going to my SQUID server.
First of all I don't use ca
> Depends on the VPN client..
> What VPN client have you used until now?
>
> Eliezer
I am using iPhone 5's Built-in client. Server is strongswan 5.1.
I will be testing with android's built-in client.
On 10/29/2013 06:30 PM, WorkingMan wrote:
The short answer is I need a transparent proxy (url rewrite and traffic
inspection) behind VPN (going for the security not for speed; cache will not
be used; proxy only).
This is maybe squid area
Amazon VPC - 10.0.0.0/16 (subnet goes under that CIDR)
V
Eliezer Croitoru ngtech.co.il> writes:
>
> Hey,
>
> I was wondering to myself?
> Why do you intercept traffic using Amazon?
> You should host your proxy close enough to have good response time which
> is ok if Amazon is close enough.
>
> In order to perform your goal you will need to use the
> That line above the headers is showing the problem:
>
> HTTP Client local=:3130 remote=:65090 FD 10
> flags=1
>
> local= contains the details of www.nba.com server where the request is
> being fetched original dst IP:port from the TCP packets.
> remote= contains the client src IP:por
On 26/10/2013 8:46 a.m., WorkingMan wrote:
What I tried:
1)with clean.rules I can connect to VPN and access internet without any
issue
1b)On SQUID or VPN server curl -x http://localhost:3130 www.nba.com works
2) with proxy.rules VPN client get invalid URL (previously mentioned error).
proxy is n
WorkingMan yahoo.com> writes:
> -
> GET / HTTP/1.1
> Host: www.nba.com
> Accept-Encoding: gzip, deflate
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^M
> Cookie: s_fid=32FDC9FA0E2D94CE-297956A1143A207A; s_vi=
> [CS]v1|28AFB9BC0501287A-61094003481F[CE]^M
>
What I tried:
1)with clean.rules I can connect to VPN and access internet without any
issue
1b)On SQUID or VPN server curl -x http://localhost:3130 www.nba.com works
2) with proxy.rules VPN client get invalid URL (previously mentioned error).
proxy is not intercept or transparent
http_port 3130
On 24/10/2013 3:45 p.m., WorkingMan wrote:
1) why intercept mode fails (do I need any special rule on my remote
SQUID
box?) with access denied for all requests
Where is the NAT/TPROXY interception happening for (1)?
It is required to be done directly on the Squid machine, with packets
sent to
For access denied I found something interesting.
client_side_request.cc(572) hostHeaderIpVerify:
validate IP 127.0.0.1:3130 non-match from Host: IP 165.254.27.105
client_side_request.cc(572) hostHeaderIpVerify:
validate IP 127.0.0.1:3130 non-match from Host: IP 165.254.27.115
client_side_request
For #2 the error from SQUID's error page that I see is like this:
ERROR
The requested error was encountered while trying to retrieve the URL : /
Invalid URL
Some aspect of the requested URL is incorrect.
Some possible problems are:
Missing or incorrect access protocol
Missing hostname
...
S
> > 1) why intercept mode fails (do I need any special rule on my remote
SQUID
> > box?) with access denied for all requests
>
> Where is the NAT/TPROXY interception happening for (1)?
>
> It is required to be done directly on the Squid machine, with packets
> sent to that machine by *routing*
On 24/10/2013 9:45 a.m., WorkingMan wrote:
It appears that one of the test I was doing is not correct so it can yield
some hint to the problem. "-k reconfigure" didn't take effect when I made the
change. So for the browser with direct proxy setting. I am able to browse
correctly if not using "int
To eliminate any iptables issues. I also tested on SQUID server using curl.
curl -x http://localhost:3130 www.cnn.com
Of course I am also getting the same error of access denied.
It appears that one of the test I was doing is not correct so it can yield
some hint to the problem. "-k reconfigure" didn't take effect when I made the
change. So for the browser with direct proxy setting. I am able to browse
correctly if not using "intercept" (ie: using SQUID server's public I
37 matches
Mail list logo
