RE: [squid-users] Please give a solution - Tproxy with WCCP error configuration from Engr.M.monzur Alam on 2009-05-12 (squid-users)

From: Engr.M.monzur Alam <monzur_at_citechco.net>
Date: Wed, 13 May 2009 09:57:59 +0600

I have successfully configure tproxy all the steps. (Patching Centos,
Patching iptables, Building squid). And also WCCP configuration with L4
WCCPv2. When I trying check gre0 tunnel with any packet flow but don't
found any packets. My error showed..............
[root_at_heldas]# tcpdump -i gre0
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to
cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode listening on gre0, link-type LINUX_SLL (Linux cooked), capture
size 96 bytes ^C 0 packets captured 0 packets received by filter 0
packets dropped by kernel My iptables script is...........
#/bin/bash
/sbin/iptables -t mangle -N DIVERT
/sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
/sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1 /sbin/iptables
-t mangle -A DIVERT -j ACCEPT /sbin/iptables -t mangle -A PREROUTING -p
tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129My Physical
connectivity structure is ....
Internet cloud to Cisco core router to Juniper firewall to Distributed
Cisco router to Core Cisco switch to TPROXY ServerPlease give me a
solution .
Thanks
M.Monzur Alam
Network & System Admin
Grameen CyberNet Ltd.
Dhaka, Bangladesh

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Tuesday, May 05, 2009 7:31 PM
To: adnan
Cc: Monzur Md.. Alam; squid-users_at_squid-cache.org
Subject: Re: [squid-users] Please give a solution - Tproxy

adnan wrote:
>
> ----- Original Message ----- From: "Amos Jeffries"
<squid3_at_treenet.co.nz>
> To: "Monzur Md.. Alam" <monzur_at_citechco.net>
> Cc: <squid-users_at_squid-cache.org>
> Sent: Monday, May 04, 2009 7:19 PM
> Subject: Re: [squid-users] Please give a solution - Tproxy
>
>
>> Monzur Md.. Alam wrote:
>>> Dear all,
>>>
>>> I have gone the the procedure as described at the following URL
>>> URL:
>>>
http://wiki.squid-cache.org/Features/Tproxy4#head-f17bb712222beeb0aa083f
02237aad6fdfaa1be2
>>>
>>>
>>> I have successfully complied kernel:2.6.28.1 and iptables:1.4.3 with

>>> tproxy:2.6.25-20080519-165031-1211208631.tar.bz2
>>>
>>
>> What is "tproxy:2.6.25-20080519-165031-1211208631.tar.bz2" ??
>> It's not part of the Squid TPROXY v4 tools that I know of.
>
> He (Monzur) means,
> tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2, for the
support of
> NF_CONNTRACK
> NETFILTER_TPROXY
> NETFILTER_XT_MATCH_SOCKET
> NETFILTER_XT_TARGET_TPROXYabove feature in the kernel we patched above

> "tproxy-kernelxxx" patch to the kernel.Do you think we should avoid
> tproxy-kernel patch for TPROXY v4?

Ah you said you had kernel 2.6.28.
That is a patch for 2.6.25 kernel _only_.

There is no patching needed for kernel 2.6.28, which is why its
listed on the wiki page as recommended minimum version.

If so, how can we will
> getNF_CONNTRACK, NETFILTER_TPROXY, NETFILTER_XT_MATCH_SOCKET,
> NETFILTER_XT_TARGET_TPROXY in thekernel?

During normal confugure + build sequence of the kernel they should
appear somewhere in the netfilter or iptabels sections of the configure.

If you have that patch in your 2.6.28, you will need to rebuild without
any breakage it may have caused. Thats a good time to do a reconfigure
from clean kernel source.

> > >> Now when I run following
> ipables commands, all the commands>> running without any problem
> except....>> >> iptables 1.4.3 Configuration>> iptables -t mangle -A
> PREROUTING -p tcp -m socket -j DIVERT>> >> and error messege shown:>>
>>
> [root_at_hpproxy ~]# iptables -t mangle -A PREROUTING -p tcp -m socket -j

> DIVERT>> iptables: No chain/target/match by that name. Run `dmesg' for

> more information.
>>> [root_at_hpproxy ~]#
>>
>> Something is missing from your iptables. Possibly the kernel is not
>> built with all the new TPROXY options or has not loaded the right
>> modules. Follow its advice and run dmesg to find out more details.
>>
>
> When we run the command without "-m socket" it's run without error.
Can
> you please write which
> thing are missing in the kernel or iptables software?

The versions listed on the Squid wiki page are missing nothing
important. Should work with vanilla code no patches. Only a kernel and
Squid configuration settings needed during build.

> Is this command or option "-m socket" is mandotary to run Squid with
> Tproxy support?

Yes it is. Using the correct versions of software and not patching will
fix this issue for you.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7

Received on Wed May 13 2009 - 03:58:24 MDT

This archive was generated by hypermail 2.2.0 : Wed May 13 2009 - 12:00:02 MDT