[ILUG] either transparent proxy or iptables problem.

Francis Daly francisdaly at gmail.com
Fri Jan 4 21:19:42 GMT 2008 

On 04/01/2008, Darragh <lists at digitaldarragh.com> wrote:

Hi there,

> So, at the moment, everything seems to be running reasonably well as far
> as routing goes.  a simple traceroute shows that connections are going
> through the server, to the router out to the internet.

If I've understood your setup correctly, the first traceroute might do
this, but the second may bypass the server and go straight for the
router, if the client has cached the route redirection message that
the server probably sent to it. As a first pass at the squid problems,
that doesn't matter; but it might come in to play later when you try
to make it transparent.

> I've tested the route with squid running and all is still flowing properly.

To be sure of that, I'd run something like "tcpdump -nn port 80"
possibly with "-i eth0" on the server, and then confirm that the
expected HTTP traffic is visible.

> when I run squid though, in the logs, I see a line that says that port
> 3128 is in use.  Here is the error:
> squid[16079]: commBind: Cannot bind socket FD 13 to *:3128: (98) Address
> already in use

That says "another squid is running". Actually, it says "another
program is bound to that port already", but it's probably the same
thing. You can check for sure by:

> when I use netstat, I see:
> tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN

as root, run

netstat -pant | grep 3128 | grep LIST

The last column is the pid and name of the guilty process. On my
machine, that gives me

  tcp        0      0 0.0.0.0:3128            0.0.0.0:*
LISTEN     17939/(squid)

To get back to a clean slate, kill whatever process was there before
your squid (and then go and find how and why it started, and make sure
it doesn't do it again until you want it to).

> now... I could be barking up the wrong tree completely, but this is the
> only reason that I can see why squid may not be handling requests.
>
> nmap shows the following:
> 3128/tcp open  squid-http

That says, the same as netstat, that something is bound to that port.
It doesn't say what, though.

> Here are my iptables rules.   I think it should be sending traffic to 3128
> but it's kind of difficult to tell for sure at the moment.

If you stick a "-v" into the "iptables -L" command line, you'll get
even more information, but it will include the inbound and outbound
network interfaces on each rule, which may make them make more sense.
The rules are traversed in order; the first match happens. So your
first rule of

> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere

would mean that all other rules are ignored, unless it refers solely
to the lo0 interface (as it probably does).

I confess I see nothing in your rules which says "traffic from
anywhere that isn't me, going to anywhere port 80, should go to me
port 3128", so unless something else is happening, I don't think your
proxy is doing what you want it to.

I suggest stepping through things from the start, just so you can be
sure exactly where things break down.

>From the squid server, can you make a http request (to prove that
squid can access the web):

(paste the following 5 lines, until the line just containing X, into a shell)

nc www.linux.ie 80 <<X
GET / HTTP/1.0
Host: www.linux.ie

X

You should get a response that starts "HTTP/1.0 200 OK" and continues
for about 15 kB of stuff. I suspect that will work fine.

Next, from the squid server, can you make a proxied http request (to
prove that squid is working as a normal proxy):

nc localhost 3128 <<X
GET http://www.linux.ie/ HTTP/.10

X

Again, you should get "HTTP/1.0 200 OK" followed by about 15kB of
stuff. If you have put in extra rules somewhere to deny localhost as a
client, then use a client that should be allowed make the request.

Next, from the same client, can you make a http request as if it had
been proxied (to prove that squid is configured to work as a
transparent proxy):

nc localhost 3128 <<X
GET / HTTP/1.0
Host: www.linux.ie

X

If you get the same "HTTP/1.0 200 OK", that's good. If you get
"HTTP/1.0 400 Bad Request", that suggests that the transparent part of
the proxying isn't working.

Assuming that all works, the next test is to see whether the
network-level stuff (of getting the packets from the client to the web
server, to the proxy server) is working properly. On the squid server,
run the

tcpdump -nn -X -s0 port 80

command -- you may want to send its output to a file, because it will
double-print every byte it sees.

Also watch the end of the squid log file (/var/log/squid/access.log,
probably) to see if it thinks it is involved in the traffic at all.

Then on a client machine that is not the squid server, do

nc www.linux.ie 80 <<X
GET / HTTP/1.0
Host: www.linux.ie

X

and do it again, and watch what happens. Ideally, you will see the
same 15 kB response each time (possibly with some difference in the
headers), as well as two extra lines in access.log showing what
happened. If that did happen, then you're probably all good from a
network and squid perspective. If not, then there's more to do.

Good luck,

        f

More information about the ILUG mailing list