Transparent Squid on different host

Shortie · April 12, 2020, 12:17pm

Hi,

I'm trying to setup a transparent Squid proxy like described on https://openwrt.org/docs/guide-user/services/proxy/proxy.squid but Squid should run on a different host than OpenWrt.

Squid is already working on host 192.168.1.180 on port 3128 which is in network lan.

To redirect all traffic from the network lan to this Squid host I've changed the firewall rule from the user guide slightly to reflect the ip of the Squid host:

config redirect                  
        option name 'Allow-transparent-Squid'
        option enabled '1' 
        option proto 'tcp'
        option target 'DNAT'
        option src 'lan'
        option src_ip '!192.168.1.180'
        option src_dip '!192.168.1.180'
        option src_dport '80'
        option dest 'lan' 
        option dest_ip '192.168.1.180'
        option dest_port '3128'

When I try to open a website now on port 80 it is not working, I'm receiving a timeout.
curl from a different host from lan network:

$ LANG=C curl --ipv4 google.de -v
*   Trying 172.217.19.67:80...
* TCP_NODELAY set
* connect to 172.217.19.67 port 80 failed: Connection timed out
* Failed to connect to google.de port 80: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to google.de port 80: Connection timed out

To further analyze this issue I tried to stop Squid on 192.168.1.180 and started nc -lp 3128 to see if something is received there. But nothing is visible.
If I try nc from the OpenWrt host, or the test host to connect to 192.168.1.180 3128 it works. If I set the http_proxy variable for curl to the Squid host and try it I can see the request on the listening nc.

I think I'm missing something in my OpenWrt configuration or there is an issue on my firewall rule, but I don't find the root cause for this issue.

Please help me to figure out what's wrong.

Thanks and best regards,
Dennis

trendy · April 12, 2020, 1:22pm

Does the rule have hits?
iptables-save -c | grep Squid
Does the packet go to the proxy?
tcpdump -i any -vne -c 100 tcp port 80 or tcp port 3128

Shortie · April 12, 2020, 1:58pm

If I got the output correctly the rule has hits:

root@OpenWrt:~# iptables-save -c | grep Squid
[5:782] -A zone_lan_prerouting ! -s 192.168.1.180/32 ! -d 192.168.1.180/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow-transparent-Squid" -j DNAT --to-destination 192.168.1.180:3128

Everytime I try to do the curl on the test instance the values increase.

The tcpdump has also some output, but I'm not able to fully understand this. 192.168.1.50 is my test host.
If I understand this correctly the first lines are incoming packets from 192.168.1.50.40178 to 216.58.206.3.80. Then those packets are going out to 192.168.1.180.3128
But it seems there are no packets coming back from 192.168.1.180.3128?

root@OpenWrt:~# tcpdump -i any -vne -c 100 tcp port 80 or tcp port 3128
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
13:52:48.129172  In f4:6d:04:79:52:6d ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 39180, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xd268 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370902730 ecr 0,nop,wscale 7], length 0
13:52:48.129172  In f4:6d:04:79:52:6d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39180, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xd268 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370902730 ecr 0,nop,wscale 7], length 0
13:52:48.129172  In f4:6d:04:79:52:6d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39180, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xd268 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370902730 ecr 0,nop,wscale 7], length 0
13:52:48.129447 Out fc:ec:da:7b:49:ec ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 39180, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0xaa62 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370902730 ecr 0,nop,wscale 7], length 0
13:52:48.129465 Out fc:ec:da:7b:49:ec ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 39180, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0xaa62 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370902730 ecr 0,nop,wscale 7], length 0
13:52:48.129475 Out fc:ec:da:7b:49:ec ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 63, id 39180, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0xaa62 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370902730 ecr 0,nop,wscale 7], length 0
13:52:49.160513  In f4:6d:04:79:52:6d ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 39181, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xce61 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370903761 ecr 0,nop,wscale 7], length 0
13:52:49.160513  In f4:6d:04:79:52:6d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39181, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xce61 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370903761 ecr 0,nop,wscale 7], length 0
13:52:49.160513  In f4:6d:04:79:52:6d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39181, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xce61 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370903761 ecr 0,nop,wscale 7], length 0
13:52:49.160812 Out fc:ec:da:7b:49:ec ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 39181, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0xa65b (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370903761 ecr 0,nop,wscale 7], length 0
13:52:49.160832 Out fc:ec:da:7b:49:ec ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 39181, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0xa65b (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370903761 ecr 0,nop,wscale 7], length 0
13:52:49.160844 Out fc:ec:da:7b:49:ec ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 63, id 39181, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0xa65b (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370903761 ecr 0,nop,wscale 7], length 0
13:52:51.240494  In f4:6d:04:79:52:6d ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 39182, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xc641 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370905841 ecr 0,nop,wscale 7], length 0
13:52:51.240494  In f4:6d:04:79:52:6d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39182, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xc641 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370905841 ecr 0,nop,wscale 7], length 0
13:52:51.240494  In f4:6d:04:79:52:6d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39182, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xc641 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370905841 ecr 0,nop,wscale 7], length 0
13:52:51.240599 Out fc:ec:da:7b:49:ec ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 39182, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0x9e3b (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370905841 ecr 0,nop,wscale 7], length 0
13:52:51.240616 Out fc:ec:da:7b:49:ec ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 39182, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0x9e3b (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370905841 ecr 0,nop,wscale 7], length 0
13:52:51.240626 Out fc:ec:da:7b:49:ec ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 63, id 39182, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0x9e3b (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370905841 ecr 0,nop,wscale 7], length 0
13:52:55.320492  In f4:6d:04:79:52:6d ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 39183, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xb651 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370909921 ecr 0,nop,wscale 7], length 0
13:52:55.320492  In f4:6d:04:79:52:6d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39183, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xb651 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370909921 ecr 0,nop,wscale 7], length 0
13:52:55.320492  In f4:6d:04:79:52:6d ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 39183, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 216.58.206.3.80: Flags [S], cksum 0xb651 (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370909921 ecr 0,nop,wscale 7], length 0
13:52:55.320620 Out fc:ec:da:7b:49:ec ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 39183, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0x8e4b (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370909921 ecr 0,nop,wscale 7], length 0
13:52:55.320640 Out fc:ec:da:7b:49:ec ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 63, id 39183, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0x8e4b (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370909921 ecr 0,nop,wscale 7], length 0
13:52:55.320651 Out fc:ec:da:7b:49:ec ethertype 802.1Q (0x8100), length 80: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 63, id 39183, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.50.40178 > 192.168.1.180.3128: Flags [S], cksum 0x8e4b (correct), seq 3978785822, win 29200, options [mss 1460,sackOK,TS val 370909921 ecr 0,nop,wscale 7], length 0

juppin · April 12, 2020, 2:46pm

I had the same problem long time ago and i think i needed a rule on the host which runs the proxy.

Can you da a tcpdump on the squid host?

trendy · April 12, 2020, 5:02pm

The packets are properly redirected to proxy. You'll need to check on the proxy what is missing.

Shortie · April 15, 2020, 12:28pm

Thanks for all of your inputs. I have now a working setup which fits even more my needs than the first attempts.
I've now also installed Squid on the OpenWrt host and with this the firewall rules are working. This Squid will now send specific domains to the other Squid to handle the caching there.

trendy · April 15, 2020, 1:20pm

If the problem is solved, feel free to mark the topic accordingly.

juppin · April 15, 2020, 2:07pm

But there is no solution for the mentioned issue/topic...

codemarauder · July 8, 2020, 4:12pm

This is technically not possible as squid needs to run on the same machine which NATs the packets and sends it to squid.

You could consider using TPROXY protocol to forward captured packets to other host but only for HTTP (port 80).

https://wiki.squid-cache.org/SquidFaq/InterceptionProxy