Re: [squid-users] Squid 3Head steps with TProxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 8 Aug 2008 14:52:02 +1200 (NZST)

> Listed below are the beginnings of steps I have. They are not complete,
> I left out some steps which I will add and repost. Please let me know if
> you have questions/troubles with the steps. I have not fully checked the
> steps for clarity and accuracy...but I eventually will.
>
> These steps are for setting squid3HEAD with TProxy, IP spoofing and
> Cisco WCCP. This is not a bridging setup.
>
> Also, there is a patch for squid that I have applied which I have not
> noted in the steps, but I want to talk to them about it's commit status
> before putting it in the steps.

''them'' being me, or Balabit?

>
> Nick
>

Thank you. Wikified at:
http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS

I've also sub-titled to show the goalposts clearly.

Now for the testing out and amendments...

>
> 1) Install CentOS 5.2
> a.) be sure not to install squid via the OS installer
> b.) install the development libraries and tools, as well as the
> legacy software development
> 2) Once the install completes and you have booted into the OS, run: yum
> update (and apply all updates.)
> 3) Once the yum command completes, reboot
> 4) Download iptables-1.4.0 from netfilter.org. Be sure to NOT download a
> later version of iptables 1.4 (such as 1.4.1 or 1.4.1.1)
> 5) Download kernel 2.6.25.11 from kernel mirror
> 6) Download squid3HEAD (squid 3.1 source code).
> 7) Download tproxy patch for iptables from balabit. Be sure to get the
> correct patch, should be:
> tproxy-iptables-1.4.0-20080521-113954-1211362794.patch
> a.) note, that so long as the tproxy-iptables-1.4.0 part of the
> patch name is the same as the iptables version, it is the correct patch.
> 8) Download tproxy patch for kernel from Balabit. Be sure to get the
> correct patch, should be:
> tproxy-kernel-2.6.25-20080519-165031-1211208631
> a.) note, that so long as the tproxy-kernel-2.6.25 part of the
> patch name is the same as the kernel, it is the correct patch.
> b.) decompress the archive, which will create a directory with
> the patches in it.
> 9) decompress the kernel source to /usr/src/linux-2.6.25
> 10) ln -s /usr/src/linux-2.6.25 /usr/src/linux
> 11) cd /usr/src/linux
> 12) patch the kernel source with the tproxy patches as stated in the
> README, should be something like:
> cat <path_to_tproxy_kernel_patches>/00*.patch | patch -p1
> 13) configure the kernel, enabling the tproxy support as noted in the
> TProxy README.
> 14) compile, install, and reboot into the new kernel
> 15) Next, patch configure, compile and install iptables. This is done
> with the thought in mind to correctly overwrite the existing iptables
> setup so that the current service init script that ships with CentOS 5.2
> can be used. To do this, decompress the iptables 1.4.0 source code, and
> cd to that directory. The follow the steps noted:
> a.) Patch the iptables source with the TProxy patch as noted in
> the TPRoxy README:
> cat <path_to_tproxy>/00*.patch | patch -p1
> b.) then run the following config line to configure the Makefile
> for iptables:
> make BINDDIR=/sbin LIBDIR=/lib64
> KERNEL_DIR=/usr/src/linux
> d.) check that TPROXY was built: ls extensions/libxt_TPROXY*
> c.) then install:
> make BINDDIR=/sbin LIBDIR=/lib64
> KERNEL_DIR=/usr/src/linux install
>
> 16) Next check iptables versioning to make sure it installed properly in
> the right path:
> a) "iptables -v" should show:
>
> iptables v1.4.0: no command specified
> Try `iptables -h' or 'iptables --help' for more
> information.
>
> If it doesn't show this, but v1.3.5 instead, then I wrote the
> step 15 above from memory incorrectly, and the paths need to be
> adjusted.
>
> 17) Do a "service iptables status" and see if iptables is running,
> stopped, or has a
> "RH-Firewall-1-INPUT" chain. If it stopped altogether, do a "service
> iptables start" and make sure that it starts and stays running.
>
> 18) Is the following iptables commands to enable TPROXY functionality in
> the running iptables instance:
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0xffffffff
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3128
>
> Note: if any of the above commands fails, there is something wrong with
> iptables update to 1.4.0 and/or tproxy module status in iptables 1.4.0.
> Keep in mind that the commands are sensitive to case, spacing, and
> hyphenation.
>
> 19) WCCP related iptables rules need to be created next...this and
> further steps are only needed if L4 WCCPv2 is used with a router, and
> not L2 WCCP with a switch.
>
> iptables -A INPUT -i gre0 -j ACCEPT
> iptables -A INPUT -i gre0 -j ACCEPT
> iptables -A INPUT -p gre -j ACCEPT
>
> 20) For the WCCP udp traffic that is not in a gre tunnel:
>
> -A RH-Firewall-1-INPUT -s 10.48.33.2/32 -p udp -m udp --dport 2048 -j
> ACCEPT
>
> NOTE: with steps 17 through 19, you my find that you have no firewall
> rules at all. In this case you will need to create an input chain to add
> some of the rules to. I created a chain called "LocalFW" and added the
> rule in step 20 to that chain. The rules in step 18 and 19 stay as they
> are. To do this, learn iptables...or something *LIKE* what is listed
> below:
>
> iptables -t filter -NLocalFW
> iptables -A FORWARD -j LocalFW
> iptables -A INPUT -j LocalFW
> iptables -A LocalFW -i lo -j ACCEPT
> iptables -A LocalFW -p icmp -m icmp --icmp-type any -j ACCEPT
>
> 21) Next, build squid3HEAD source as noted in the squid readme and
> tproxy readme, enabling netfilter with -enable-linux-netfilter
> (--enable-linux-tproxy was phased out because tproxy is being more
> tightly integrated with iptables/netfilter and squid)
>
> 22) configure squid as noted in the squid and tproxy readmes.
>
Received on Fri Aug 08 2008 - 02:52:06 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 08 2008 - 12:00:03 MDT