You will need to transpareny redirect the traffic and not explicitly pointing your browser to squid. Seems that the mentioned firewall rules are correct. You will need a policy route also for the marked traffic.
On Oct 5, 2017 7:54 PM, "xpro6000" <xpro6...@gmail.com> wrote: I'm back to square one then, and it looks like there is no way to tell Squid to use the same connecting ip for the outgoing ip, which is what I need. On Thu, Oct 5, 2017 at 3:49 AM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 05/10/17 15:01, xpro6000 wrote: > >> I'm trying to setup tproxy with Squid 3.5 for the purpose of having the >> same outgoing ip as the connecting ip. (I have thousands of IPs and I can >> not add them one by one) >> >> I started with a fresh install of Debian 9, installed Squid by >> >> apt install squid >> >> then I added >> >> http_port 3129 tproxy >> >> to squid.conf >> >> I then ran the following commands for iptables >> >> iptables -t mangle -N DIVERT >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> iptables -t mangle -A DIVERT -j ACCEPT >> >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >> >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >> --tproxy-mark 0x1/0x1 --on-port 3129 >> >> >> I can use the proxy with no problems on port 3128, but on Firefox I get a >> message "The proxy server is refusing connections" when I set the proxy to >> port 3129. Did I miss any steps or am I doing something wrong? >> > > You missed the fact that TPROXY is an MITM operation. You *cannot* setup > the browser to use the proxy directly to its tproxy port. You have to route > the packets to the proxy machine without any explicit browser or client > configuration. > > Only the Squid machine bits (and thus behaviour) are different with TPROXY > vs NAT interception. > > ... > >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost manager >> http_access deny manager >> http_access allow localhost >> http_access allow all >> > > Do not do "allow all" like this. Setup the localnet ACL to your LAN > range(s) properly and only allow those clients through the proxy. > > Then you can use the recommended default: > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access deny manager > http_access allow localnet > http_access deny all > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
