[squid-users] Squid 3Head steps with TProxy

Listed below are the beginnings of steps I have. They are not complete,
I left out some steps which I will add and repost. Please let me know if
you have questions/troubles with the steps. I have not fully checked the
steps for clarity and accuracy...but I eventually will.

These steps are for setting squid3HEAD with TProxy, IP spoofing and
Cisco WCCP. This is not a bridging setup.

Also, there is a patch for squid that I have applied which I have not
noted in the steps, but I want to talk to them about it's commit status
before putting it in the steps.

Nick

1) Install CentOS 5.2
        a.) be sure not to install squid via the OS installer
        b.) install the development libraries and tools, as well as the
legacy software development
2) Once the install completes and you have booted into the OS, run: yum
update (and apply all updates.)
3) Once the yum command completes, reboot
4) Download iptables-1.4.0 from netfilter.org. Be sure to NOT download a
later version of iptables 1.4 (such as 1.4.1 or 1.4.1.1)
5) Download kernel 2.6.25.11 from kernel mirror
6) Download squid3HEAD (squid 3.1 source code).
7) Download tproxy patch for iptables from balabit. Be sure to get the
correct patch, should be:
tproxy-iptables-1.4.0-20080521-113954-1211362794.patch
        a.) note, that so long as the tproxy-iptables-1.4.0 part of the
patch name is the same as the iptables version, it is the correct patch.
8) Download tproxy patch for kernel from Balabit. Be sure to get the
correct patch, should be:
tproxy-kernel-2.6.25-20080519-165031-1211208631
        a.) note, that so long as the tproxy-kernel-2.6.25 part of the
patch name is the same as the kernel, it is the correct patch.
        b.) decompress the archive, which will create a directory with
the patches in it.
9) decompress the kernel source to /usr/src/linux-2.6.25
10) ln -s /usr/src/linux-2.6.25 /usr/src/linux
11) cd /usr/src/linux
12) patch the kernel source with the tproxy patches as stated in the
README, should be something like:
cat <path_to_tproxy_kernel_patches>/00*.patch | patch -p1
13) configure the kernel, enabling the tproxy support as noted in the
TProxy README.
14) compile, install, and reboot into the new kernel
15) Next, patch configure, compile and install iptables. This is done
with the thought in mind to correctly overwrite the existing iptables
setup so that the current service init script that ships with CentOS 5.2
can be used. To do this, decompress the iptables 1.4.0 source code, and
cd to that directory. The follow the steps noted:
        a.) Patch the iptables source with the TProxy patch as noted in
the TPRoxy README:
                cat <path_to_tproxy>/00*.patch | patch -p1
        b.) then run the following config line to configure the Makefile
for iptables:
                make BINDDIR=/sbin LIBDIR=/lib64
KERNEL_DIR=/usr/src/linux
        d.) check that TPROXY was built: ls extensions/libxt_TPROXY*
        c.) then install:
                make BINDDIR=/sbin LIBDIR=/lib64
KERNEL_DIR=/usr/src/linux install

16) Next check iptables versioning to make sure it installed properly in
the right path:
        a) "iptables -v" should show:

                        iptables v1.4.0: no command specified
                        Try `iptables -h' or 'iptables --help' for more
information.

        If it doesn't show this, but v1.3.5 instead, then I wrote the
step 15 above from memory incorrectly, and the paths need to be
adjusted.

17) Do a "service iptables status" and see if iptables is running,
stopped, or has a
"RH-Firewall-1-INPUT" chain. If it stopped altogether, do a "service
iptables start" and make sure that it starts and stays running.

18) Is the following iptables commands to enable TPROXY functionality in
the running iptables instance:

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0xffffffff
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3128

Note: if any of the above commands fails, there is something wrong with
iptables update to 1.4.0 and/or tproxy module status in iptables 1.4.0.
Keep in mind that the commands are sensitive to case, spacing, and
hyphenation.

19) WCCP related iptables rules need to be created next...this and
further steps are only needed if L4 WCCPv2 is used with a router, and
not L2 WCCP with a switch.

iptables -A INPUT -i gre0 -j ACCEPT
iptables -A INPUT -i gre0 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT

20) For the WCCP udp traffic that is not in a gre tunnel:

-A RH-Firewall-1-INPUT -s 10.48.33.2/32 -p udp -m udp --dport 2048 -j
ACCEPT

NOTE: with steps 17 through 19, you my find that you have no firewall
rules at all. In this case you will need to create an input chain to add
some of the rules to. I created a chain called "LocalFW" and added the
rule in step 20 to that chain. The rules in step 18 and 19 stay as they
are. To do this, learn iptables...or something *LIKE* what is listed
below:

iptables -t filter -NLocalFW
iptables -A FORWARD -j LocalFW
iptables -A INPUT -j LocalFW
iptables -A LocalFW -i lo -j ACCEPT
iptables -A LocalFW -p icmp -m icmp --icmp-type any -j ACCEPT

21) Next, build squid3HEAD source as noted in the squid readme and
tproxy readme, enabling netfilter with -enable-linux-netfilter
(--enable-linux-tproxy was phased out because tproxy is being more
tightly integrated with iptables/netfilter and squid)

22) configure squid as noted in the squid and tproxy readmes.
Received on Thu Aug 07 2008 - 18:55:17 MDT