I'm trying to setup Squid 3.HEAD (3.2.x) in Fully transparent mode with 
brouting (ebtables) but don't ever see the sync request coming into squid.   
Anyone see what I'm missing? 

I started with Fedora 14 but read there could be issues with the kernel and 
dropped back to FC 12 to get 
        Linux fw01.localdomain 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 
21:25:57 EST 2009 i686 i686 i386 GNU/Linux

My system config is as follows: 

I have three interfaces on the system... Eth1 is the the admin interface.  Eth2 
is the client side facing interface and Eth0 is facing the internet and br0 is 
the bridge. 

011/03/13 10:35:33.169 kid1| The AsyncCall clientListenerConnectionOpened 
constructed, this=0xa2fb668 [call8]
2011/03/13 10:35:33.169 kid1| StartListening.cc(52) will call 
clientListenerConnectionOpened(FD 15, err=0, port=0xa07f410) [call8]
2011/03/13 10:35:33.169 kid1| The AsyncCall clientListenerConnectionOpened 
constructed, this=0xa2fb750 [call10]
2011/03/13 10:35:33.170 kid1| StartListening.cc(52) will call 
clientListenerConnectionOpened(FD 16, err=0, port=0xa07f498) [call10]
2011/03/13 10:35:33.170 kid1| The AsyncCall clientListenerConnectionOpened 
constructed, this=0xa2fb838 [call12]
2011/03/13 10:35:33.170 kid1| StartListening.cc(52) will call 
clientListenerConnectionOpened(FD 17, err=0, port=0xa07f520) [call12]
2011/03/13 10:35:33.170 kid1| HTCP Disabled.
2011/03/13 10:35:33.170 kid1| Squid plugin modules loaded: 0
2011/03/13 10:35:33.170 kid1| Adaptation support is off.
2011/03/13 10:35:33.170 kid1| Config.cc(134) FinalizeEach: Initialized 0 
message adaptation services
2011/03/13 10:35:33.170 kid1| Config.cc(134) FinalizeEach: Initialized 0 
message adaptation service groups
2011/03/13 10:35:33.170 kid1| Config.cc(134) FinalizeEach: Initialized 0 
message adaptation access rules
2011/03/13 10:35:33.170 kid1| Ready to serve requests.
2011/03/13 10:35:33.170 kid1| entering clientListenerConnectionOpened(FD 15, 
err=0, port=0xa07f410)
2011/03/13 10:35:33.170 kid1| AsyncCall.cc(32) make: make call 
clientListenerConnectionOpened [call8]
2011/03/13 10:35:33.170 kid1| AcceptingHTTP Socket connections at  FD 15 on 
[::]:3128
2011/03/13 10:35:33.171 kid1| leaving clientListenerConnectionOpened(FD 15, 
err=0, port=0xa07f410)
2011/03/13 10:35:33.171 kid1| entering clientListenerConnectionOpened(FD 16, 
err=0, port=0xa07f498)
2011/03/13 10:35:33.171 kid1| AsyncCall.cc(32) make: make call 
clientListenerConnectionOpened [call10]
2011/03/13 10:35:33.171 kid1| Accepting spoofingHTTP Socket connections at  FD 
16 on 0.0.0.0:3129
2011/03/13 10:35:33.171 kid1| leaving clientListenerConnectionOpened(FD 16, 
err=0, port=0xa07f498)
2011/03/13 10:35:33.171 kid1| entering clientListenerConnectionOpened(FD 17, 
err=0, port=0xa07f520)
2011/03/13 10:35:33.171 kid1| AsyncCall.cc(32) make: make call 
clientListenerConnectionOpened [call12]
2011/03/13 10:35:33.171 kid1| Accepting interceptedHTTP Socket connections at  
FD 17 on 0.0.0.0:3130
2011/03/13 10:35:33.171 kid1| leaving clientListenerConnectionOpened(FD 17, 
err=0, port=0xa07f520)
2011/03/13 10:35:34 kid1| storeLateRelease: released 0 objects

Confirmed by lsof. 

root@fw01 ~]# lsof -i -nP | grep squid
squid     2090   squid    7u  IPv6  20137      0t0  UDP *:41566 
squid     2090   squid    8u  IPv4  20138      0t0  UDP *:48061 
squid     2090   squid   15u  IPv6  20383      0t0  TCP *:3128 (LISTEN)
squid     2090   squid   16u  IPv4  20384      0t0  TCP *:3129 (LISTEN)
squid     2090   squid   17u  IPv4  20385      0t0  TCP *:3130 (LISTEN)


[root@fw01 ~]# ip rule list 
0:      from all lookup local 
32765:  from all fwmark 0x1 iif lo lookup 100 
32766:  from all lookup main 
32767:  from all lookup default 

NOTE: -- I get these errors when trying to add any additional routing 

[root@fw01 ~]# ip route add local 0.0.0.0/0 dev eth0  table 100 
RTNETLINK answers: File exists

[root@fw01 ~]# ip route add local 0.0.0.0/0 dev eth2  table 100 
RTNETLINK answers: File exists

[root@fw01 ~]# ip route list table all 
local default dev lo  table 100  scope host 
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.90 
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.78  metric 1 
default via 192.168.1.254 dev br0 
broadcast 192.168.1.0 dev eth1  table local  proto kernel  scope link  src 
192.168.1.78 
broadcast 192.168.1.0 dev br0  table local  proto kernel  scope link  src 
192.168.1.90 
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 
127.0.0.1 
local 192.168.1.90 dev br0  table local  proto kernel  scope host  src 
192.168.1.90 
broadcast 192.168.1.255 dev eth1  table local  proto kernel  scope link  src 
192.168.1.78 
broadcast 192.168.1.255 dev br0  table local  proto kernel  scope link  src 
192.168.1.90 
local 192.168.1.78 dev eth1  table local  proto kernel  scope host  src 
192.168.1.78 
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 
127.0.0.1 
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev br0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
unreachable default dev lo  table unspec  proto kernel  metric -1  error -101 
hoplimit 255
local ::1 via :: dev lo  table local  proto none  metric 0  mtu 16436 advmss 
16376 hoplimit 0
local fe80::207:e9ff:fee5:ac7a via :: dev lo  table local  proto none  metric 0 
 mtu 16436 advmss 16376 hoplimit 0
local fe80::240:f4ff:fecd:170 via :: dev lo  table local  proto none  metric 0  
mtu 16436 advmss 16376 hoplimit 0
local fe80::240:f4ff:fecd:170 via :: dev lo  table local  proto none  metric 0  
mtu 16436 advmss 16376 hoplimit 0
local fe80::2a0:c9ff:fe08:4c26 via :: dev lo  table local  proto none  metric 0 
 mtu 16436 advmss 16376 hoplimit 0
ff00::/8 dev eth1  table local  metric 256  mtu 1500 advmss 1440 hoplimit 0
ff00::/8 dev eth2  table local  metric 256  mtu 1500 advmss 1440 hoplimit 0
ff00::/8 dev br0  table local  metric 256  mtu 1500 advmss 1440 hoplimit 0
ff00::/8 dev eth0  table local  metric 256  mtu 1500 advmss 1440 hoplimit 0
unreachable default dev lo  table unspec  proto kernel  metric -1  error -101 
hoplimit 255
[root@fw01 ~]# 


[root@fw01 ~]# ifconfig -a 
br0       Link encap:Ethernet  HWaddr 00:40:F4:CD:01:70  
          inet addr:192.168.1.90  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::240:f4ff:fecd:170/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:144404 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22080 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:181401897 (172.9 MiB)  TX bytes:27113936 (25.8 MiB)

eth0      Link encap:Ethernet  HWaddr 00:A0:C9:08:4C:26  
          inet6 addr: fe80::2a0:c9ff:fe08:4c26/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:151170 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22109 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:190817348 (181.9 MiB)  TX bytes:27115370 (25.8 MiB)

eth1      Link encap:Ethernet  HWaddr 00:07:E9:E5:AC:7A  
          inet addr:192.168.1.78  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::207:e9ff:fee5:ac7a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13464 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29328 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:959581 (937.0 KiB)  TX bytes:38109473 (36.3 MiB)

eth2      Link encap:Ethernet  HWaddr 00:40:F4:CD:01:70  
          inet6 addr: fe80::240:f4ff:fecd:170/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28 errors:0 dropped:0 overruns:0 frame:0
          TX packets:135268 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1872 (1.8 KiB)  TX bytes:182786344 (174.3 MiB)
          Interrupt:18 Base address:0x2800 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1308 (1.2 KiB)  TX bytes:1308 (1.2 KiB)

pan0      Link encap:Ethernet  HWaddr 3A:5D:43:EE:D1:16  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

[root@fw01 ~]# 


Bridge config: 

[root@fw01 logs]# ebtables-save 
# Generated by ebtables-save v1.0 on Sun Mar 13 10:52:47 PDT 2011
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT

*broute
:BROUTING ACCEPT
-A BROUTING -p IPv4 -i eth2 --ip-proto tcp --ip-dport 80 --log-level notice 
--log-prefix "ebt-dport-80:" -j redirect  --redirect-target DROP
-A BROUTING -p IPv4 -i eth0 --ip-proto tcp --ip-sport 80 --log-level notice 
--log-prefix "ebt-sport-80:" -j redirect  --redirect-target DROP

-----------

Mar 13 11:04:47 fw01 kernel: ebt-sport-80: IN=eth0 OUT= MAC source = 
b0:e7:54:6b:38:c9 MAC dest = 00:40:f4:cd:01:70 proto = 0x0800
Mar 13 11:05:08 fw01 kernel: ebt-sport-80: IN=eth0 OUT= MAC source = 
b0:e7:54:6b:38:c9 MAC dest = 00:40:f4:cd:01:70 proto = 0x0800
Mar 13 11:05:57 fw01 kernel: ebt-sport-80: IN=eth0 OUT= MAC source = 
b0:e7:54:6b:38:c9 MAC dest = 00:40:f4:cd:01:70 proto = 0x0800
Mar 13 11:08:48 fw01 kernel: ebt-dport-80: IN=eth2 OUT= MAC source = 
00:50:56:36:df:78 MAC dest = 00:17:f2:09:8a:56 proto = 0x0800
Mar 13 11:08:51 fw01 kernel: ebt-dport-80: IN=eth2 OUT= MAC source = 
00:50:56:36:df:78 MAC dest = 00:17:f2:09:8a:56 proto = 0x0800


[root@fw01 ~]# cat /var/log/messages  | grep PROXYIT 
Mar 13 10:41:24 fw01 kernel: IPT_PROXYIT: IN=eth2 OUT= 
MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61864 DF PROTO=TCP SPT=40748 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 
Mar 13 10:41:27 fw01 kernel: IPT_PROXYIT: IN=eth2 OUT= 
MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61865 DF PROTO=TCP SPT=40748 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 
Mar 13 10:41:33 fw01 kernel: IPT_PROXYIT: IN=eth2 OUT= 
MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61866 DF PROTO=TCP SPT=40748 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0 

------------

I created a PROXYIT table to confirm the routing and also, the filter table is 
empty. 

[root@fw01 ~]# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 649K packets, 873M bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
33821 1936K DIVERT     tcp  --  any    any     anywhere             anywhere    
        socket 
   17  1020 PROXYIT    tcp  --  any    any     anywhere             anywhere    
        tcp dpt:http 
 649K  873M LOGTPROXY2  all  --  any    any     anywhere             anywhere   
         

Chain INPUT (policy ACCEPT 34681 packets, 2071K bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain FORWARD (policy ACCEPT 88 packets, 117K bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain OUTPUT (policy ACCEPT 27623 packets, 96M bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain POSTROUTING (policy ACCEPT 27731 packets, 96M bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain DIVERT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
33821 1936K MARK       all  --  any    any     anywhere             anywhere    
        MARK or 0x1 
33821 1936K LOGDIVERT  all  --  any    any     anywhere             anywhere    
        
33821 1936K ACCEPT     all  --  any    any     anywhere             anywhere    
        

Chain LOGDIVERT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
 1862  115K LOG        all  --  any    any     anywhere             anywhere    
        limit: avg 1/sec burst 10 LOG level warning prefix `IPT_LOGDIVERT: ' 
33821 1936K RETURN     all  --  any    any     anywhere             anywhere    
        

Chain LOGTPROXY1 (0 references)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain LOGTPROXY2 (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
 1863 2520K LOG        all  --  any    any     anywhere             anywhere    
        limit: avg 1/sec burst 10 LOG level warning prefix `IPT_TPROXY2: ' 

Chain PROXYIT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
   17  1020 LOG        all  --  any    any     anywhere             anywhere    
        limit: avg 1/sec burst 10 LOG level warning prefix `IPT_PROXYIT: ' 
   17  1020 TPROXY     tcp  --  any    any     anywhere             anywhere    
        tcp dpt:http TPROXY redirect 0.0.0.0:3129 mark 0x1/0xffffffff


I can use squidclient to read cache stats so I'm pretty sure squid is setup ok. 

[root@fw01 logs]# squidclient -p 3128 mgr:info 
HTTP/1.1 200 OK
Server: squid/3.HEAD-20110307
Mime-Version: 1.0
Date: Sun, 13 Mar 2011 18:02:05 GMT
Content-Type: text/plain
Expires: Sun, 13 Mar 2011 18:02:05 GMT
Last-Modified: Sun, 13 Mar 2011 18:02:05 GMT
X-Cache: MISS from fw01.localdomain
Via: 1.1 fw01.localdomain (squid/3.HEAD-20110307)
Connection: close

Squid Object Cache: Version 3.HEAD-20110307
Start Time:     Sun, 13 Mar 2011 18:01:54 GMT
Current Time:   Sun, 13 Mar 2011 18:02:05 GMT
Connection information for squid:
        Number of clients accessing cache:      1
        Number of HTTP requests received:       0
        Number of ICP messages received:        0
        Number of ICP messages sent:    0
        Number of queued ICP replies:   0
        Number of HTCP messages received:       0
        Number of HTCP messages sent:   0
        Request failure ratio:   0.00
        Average HTTP requests per minute since start:   0.0
        Average ICP messages per minute since start:    0.0
        Select loop called: 1113 times, 9.587 ms avg



What I'm i missing?   I'm pretty sure it's in the routing layer as it looks 
like both IPTables and EBTables seem to be doing the right thing. 





James S. Binder
Vice President, Engineering

jbin...@cyphort.com
408.761.1403 (cell)


This information contained in this e-mail message and any attachments thereto, 
is intended only for the personal and confidential use of the recipient(s) 
named above. This message may be under the terms of a Mutual Non-Disclosure 
Agreement communication and/or work product and as such is privileged and 
confidential. If the reader of this message is not the intended recipient or an 
agent responsible for delivering it to the intended recipient, you are hereby 
notified that you have received this document in error and that any review, 
dissemination, distribution, or copying of this message is strictly prohibited. 
If you have received this communication in error, please notify use immediately 
by e-mail and delete this original message. 




Reply via email to