Squid (proxy) 4.6: tcp_outgoing_address does not work.

[C4H7Cl2O4P]

In my local network (192.168.xxx.0/24) I have a PC whicj I'd like to use as a proxy server. I set up port forwarding from my router to this pc for port 8213, which I'd like to use as a proxy port.
I have GSM USB-modem (Huawei E153) connected to the PC which I can see as wlp2s4.
i install ppp connection to my mobile provideas with command <<nmcli connection up "ConnectionName" --ask < /dev/null >>

Here is what I have.

Code: Select all

# uname -a
Linux hptro 4.19.0-18-686-pae #1 SMP Debian 4.19.208-1 (2021-09-29) i686 GNU/Linux
==========================================
# cat /etc/debian_version
10.11
==========================================
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
==========================================
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp2s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:16:d4:a4:b2:97 brd ff:ff:ff:ff:ff:ff
    inet 192.168.xxx.102/24 brd 192.168.xxx.255 scope global dynamic noprefixroute enp2s8
       valid_lft 571sec preferred_lft 571sec
    inet6 fe80::216:d4ff:fea4:b297/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlp2s4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:16:6f:c3:b9:fd brd ff:ff:ff:ff:ff:ff
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp 
    inet 10.999.999.999 peer 10.64.64.64/32 scope global ppp0
       valid_lft forever preferred_lft forever
    inet 10.999.999.999/32 brd 10.999.999.999 scope global noprefixroute ppp0
       valid_lft forever preferred_lft forever
==========================================
# squid -v
Squid Cache: Version 4.6
Service Name: squid
Debian linux
configure options:  '--build=i686-linux-gnu'
'--prefix=/usr'
'--includedir=${prefix}/include'
'--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info'
'--sysconfdir=/etc'
'--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid'
'--srcdir=.'
'--disable-maintainer-mode'
'--disable-dependency-tracking'
'--disable-silent-rules'
'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/build/reproducible-path/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic'
'BUILDCXX=i686-linux-gnu-g++'
'--with-build-environment=default'
'--enable-build-info=Debian linux'
'--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid'
'--mandir=/usr/share/man'
'--enable-inline'
'--disable-arch-native'
'--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap'
'--enable-delay-pools'
'--enable-cache-digests'
'--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,SMB_LM'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group'
'--enable-security-cert-validators=fake'
'--enable-storeid-rewrite-helpers=file'
'--enable-url-rewrite-helpers=fake'
'--enable-eui'
'--enable-esi'
'--enable-icmp'
'--enable-zph-qos'
'--enable-ecap'
'--disable-translation'
'--with-swapdir=/var/spool/squid'
'--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid'
'--with-filedescriptors=65536'
'--with-large-files'
'--with-default-user=proxy'
'--with-gnutls'
'--enable-linux-netfilter'
'build_alias=i686-linux-gnu'
'CC=i686-linux-gnu-gcc'
'CFLAGS=-g -O2 -fdebug-prefix-map=/build/reproducible-path/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
'CXX=i686-linux-gnu-g++'
'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/reproducible-path/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'
==========================================
# cat squid.conf 
acl localnet src 192.168.xxx.0/24
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 1025-65535	# unregistered ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localnet
http_access deny all
http_port 8213
acl anyclient src all
http_access allow anyclient
tcp_outgoing_address 10.999.999.9 anyclient  #  <<<<<==================
cache_dir ufs /var/spool/squid 100 16 256
debug_options ALL,5
coredump_dir /var/spool/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
cache_effective_user squider
cache_effective_group squider
cache deny all
==========================================

Both on the PC's and other device in my local network I set up Firefox settings to use proxy server localhost:8213 and 192.168.xxx.pc:8213 accordingly. Squid proxy server receives their requests as I can see it in
/var/log/squid/access.log
/var/log/squid/cache.log
but it does not work even for http://neverssl.com/
/var/log/squid/access.log says:

Code: Select all

1707731618.702  30458 192.168.xxx.other TCP_MISS/503 4430 GET http://neverssl.com/ - HIER_NONE/- text/html
1707749880.122     35 127.0.0.1 TCP_DENIED/403 4379 GET http://neverssl.com/ - HIER_NONE/- text/html

At the same time:

Code: Select all

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=37.2 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=23.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=23.8 ms

$ ping 8.8.8.8 -I ppp0
PING 8.8.8.8 (8.8.8.8) from 10.70.38.103 ppp0: 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=1809 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=808 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=209 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=206 ms

If I disconnect the PC from my local net (pull the wire out), then installed mobile connection works as default (whoer.net shows its real IP).

If I don't use tcp_outgoing_address then Squid proxy server works just fine, i mean it shares my cable connection (if I use proxy from outside as I forwarded port from my router)

What am I doing wrong ? What should I do to make squid proxy server go out through alternative connection?

[lindi]

What do you see with

Code: Select all

ip rule
ip route

? If you want to have multiple alternative routes to the Internet you need to create multiple routing tables

[C4H7Cl2O4P]

What do you see with

Code: Select all

ip rule
ip route

?

Code: Select all

# ip rule
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

# ip route
default via 192.168.xxx.1 dev enp2s8 proto dhcp metric 100 
default dev ppp0 proto static scope link metric 700 
10.64.64.64 dev ppp0 proto kernel scope link src 10.999.999.999 
10.64.64.64 dev ppp0 proto kernel scope link src 10.999.999.999 metric 700 
169.254.0.0/16 dev enp2s8 scope link metric 1000 
192.168.xxx.0/24 dev enp2s8 proto kernel scope link src 192.168.xxx.pc metric 100 

If you want to have multiple alternative routes to the Internet you need to create multiple routing tables

Squid manual does not mention it. They just say "Allows you to map requests to different outgoing IP addresses..."

[lindi]

# ip route
default via 192.168.xxx.1 dev enp2s8 proto dhcp metric 100
default dev ppp0 proto static scope link metric 700

This explains it, the second "default" route has no effect as the first one is always chosen.

Squid manual does not mention it. They just say "Allows you to map requests to different outgoing IP addresses..."

This issue applies to all programs when using linux kernel. I suppose squid runs also on windows? Anyways, the only way to make this work is to have multiple routing tables afaik.

[C4H7Cl2O4P]

This issue applies to all programs when using linux kernel. I suppose squid runs also on windows? Anyways, the only way to make this work is to have multiple routing tables afaik.

Do you mean Microsoft Windows ? They say it does but I use Debian.
Could you explain what does "to have multiple routing tables" mean and direct me how can I achieve it ? What should I do ?

[lindi]

Could you explain what does "to have multiple routing tables" mean and direct me how can I achieve it ? What should I do ?

I have followed https://tldp.org/HOWTO/Adv-Routing-HOWTO/ and configured this fully manually as ifupdown does not support multiple routing tables.

[Aki]

@C4H7Cl2O4P:
Did you sort it out ?

--
note: Please, use code tags to include commands and/or their logs in the body of a message. I've done it for you in previous messages. Thanks.

[C4H7Cl2O4P]

Did you sort it out ?

No, I did not.