I have a server that was running a transparent redirection proxy - i
was using 2.4.20 kernel on this system and i recently upgraded to
2.6.0.107 kernel package for redhat 9
Ever since i did the kernel upgrade the proxy does not work correctly.
As far as I know, the kernel is configured properly
lsmod shows these iptables modules
Module Size Used by
ipt_REDIRECT 2048 0
iptable_nat 20140 1 ipt_REDIRECT
ip_conntrack 28464 2 ipt_REDIRECT,iptable_nat
iptable_filter 2688 0
ip_tables 15104 3 ipt_REDIRECT,iptable_nat,iptable_filter
my INPUT, FORWARD and OUTPUT policies are all set to accept
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I am using this iptables rule
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
my nat table looks like this
iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp
dpt:http redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ip forwarding is enabled
cat /proc/sys/net/ipv4/ip_forward
1
squid is running on 3128 - the squid config looks like this
acl all src 0/0
visible_hostname proxyhost.porchlight.ca
http_port 3128
no_cache deny all
redirect_program /usr/local/bin/redirector.pl
redirect_children 5
redirect_rewrites_host_header on
redirector_access allow all
http_access allow all
http_reply_access allow all
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
This configuration has not changed since before the kernel upgrade
except that there were a couple of rules preventing proxy access to the
outside world which I removed in order to make things as simple as
possible for debugging purposes
I can see by running snort that the packets destined for the remote
host are arriving on the interface
I can see using "iptables -t nat --list -v -n" that the number of
packets on the REDIRECT rule gets incremented by 1 each time I try to
access a remote site - but the browser just times out waiting for a
reply and the squid access.log does not record the access
If i type http://proxyhost.porchlight.ca into the address bar of the
browser, the port redirect works perfectly and squid redirects the
traffic to the proxied site without problem - it is only when I attempt
to access remote sites that the redirection does not work. As I
mentioned before - this was all working and tested previous to the
kernel upgrade.
I've been struggling with this for a couple days now. Does anyone have
any idea why this configuration is not working?
Thx in advance,
*****************************
Peter Schobel
Network Administrator
Porchlight.ca
Unlimited Internet
*****************************
In a world without walls or fences
We will have no need for gates or windows
*****************************
Received on Wed Jan 07 2004 - 11:38:48 MST
This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:04 MST