On Thursday 25 March 2004 08:44, E Roberts wrote:I have come across a strange problem, after what could be days, hours or
even 10 minutes my transparent proxy will just stop working. I have tried
tcpdump of this? What _exactly_ is not happening anymore?
Unfortinaly this is on a production server and it allways seams to happen during the day when I can't take enough time to truly watch and see what's going on in tcpdump, I get maybe 3 minutes before the calls start rolling in and have to reboot the unit. I have only been able to make sure that the server is getting the packets to make sure it had nothing to do with the user's machine or the wireless interface. Also when I restart NoCatAuth, the user is still captured for a login, forwared to the billing server and can auth correctly, once they finnish that and try to use any websites though the transparent proxy, the requests don't make it to squid. NoCatAuth gateway and squid are on the same machine. In the access.log file no requests come in anymore once this happens.
to restart squid, flush and reset my firewall rules, restart NoCatAuth, and in the end the only thing that will get this working again is a full reboot.
The setup I'm using is this:
Slackware linux kernel 2.4.20
There are bugs in 2.4.20 iptables. Upgrade to latest and retest.
Are you saying bugs in the 2.4.20 'kernel' or in 1.2.8 'iptables'? Kinda got me confused on that line of what part to upgrade, it would be a real pain to do a full kernel re-compile and might have better luck if I can just recompile iptables, or should they both be upgraded together?
Squid 2.5.STABLE4 iptables v1.2.8
My firewall rules seam to be unchanged when this takes effect, here is the
part for the transparent proxy:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 192.168.0.0/16 <ip removed> MARK match 0x4
tcp dpt:http redir ports 8080
REDIRECT tcp -- 192.168.0.0/16 anywhere MARK match 0x3
tcp dpt:http redir ports 8080
REDIRECT tcp -- 192.168.0.0/16 anywhere MARK match 0x2
tcp dpt:http redir ports 8080
REDIRECT tcp -- 192.168.0.0/16 anywhere MARK match 0x1
tcp dpt:http redir ports 8080
ACCEPT all -- 10.0.0.0/8 anywhere
ACCEPT all -- 1.0.0.0/8 anywhere
NoCat_Capture all -- anywhere anywhere
DROP tcp -- !localhost anywhere tcp dpt:8080
What is strange is that the sibling proxys are still able to use this as their parent, and if you connect to port 8080 directly it will work (of course this is with out the above DROP being in the rules).
I figure this might be an IPtables issue but hope to see if anyone has had
this issue or could point me in the correct location.
Regards-- vda
