Problem with Ubuntu 8.04, Squid3 and multiple subnets

iggymac · 12-06-2008, 01:22 PM

Hello,

We have been using DansGuardian web filtering software with Squid 2.x on an Ubuntu server as a transparent proxy for our school district's WAN gateway for a few years now with no problems. We have also used Squid3 on another server with no issues.

We are now replacing the gateway server with a new Ubuntu (8.04) box, with Squid 3.0.STABLE1, and the latest version of DansGuardian. It is setup almost identically to the previous server, and it works ok when put in place of that old server, with one major problem - it only works for hosts on the subnet it's in. All of our other subnets in our WAN cannot access the web at all.

When a host from from one of our other subnets tries to view a web page, the DansGuardian log shows something like:

IP_OF_HOST http://www.foo.com/ *EXCEPTION* Exception site match. GET 5733 0 1 200 - -

Then the DansGuardian passes the request to Squid, and we get this:

127.0.0.1 TCP_MISS/301 531 GET http://www.foo.com/ - NONE/- text/html

then nothing else. No more Squid log entries for that request, and the host just times out.

We don't know for sure this is a Squid issue, and not a DansGuardian issue, but it looks like it. We've also done several searches for subnet-related Squid issues, and have not been able to find anything yet. We are assuming it is not an ACL issue, since all requests originate from 127.0.0.1, but we have tried opening those up wide also, to no affect. And again, for the subnet the server is on, it works great, and the old 2.x squid server worked fine for all subnets.

Are we missing something silly and obvious? Any suggestions?

Bret

iggymac · 12-09-2008, 12:11 PM

Ok. We think we may have narrowed this down, but are still pretty baffled.

If we setup just a Squid transparent proxy box (Ubuntu 8.04, Squid3) and try using it as the proxy for two computers' web browsers (one on the subnet of the box, one from another subnet) it _seems_ as though our one iptables rule may be the issue.

We use a pretty standard rule to forward port 80 traffic to the squid port:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

The PC on the same subnet goes through the proxy fine. The PC on a different subnet does not make it through the proxy. If we flush iptables, then try connecting with the PC from another subnet, iptables also shows that no packets have traversed that rule.

So:

1. Have there been any changes in syntax from iptables 1.2 to 1.3 that we're missing?
2. Is our iptables rule just plain incorrect?

Bret

msshahanshah · 09-06-2011, 12:12 PM

Hi I am facing the same issue here! but we not only have multiple subnets but also multiple IP ranges.
the problem is not with the iptables but with the routes that are there in the squid box.

default via 192.168.1.1 dev br0

if I change this to default via 10.0.0.1 dev br0 the second subnet starts to work and the first one fails.

Did you figure out a way to make it work?