Re: [squid-users] TProxy not faking source address.

I have Ubuntu 9.04 (Jaunty) but also squid->client spoofing does not work .
it shows squid's ip in tproxy mode .

dmesg shows
[ 21.186636] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 21.319881] NF_TPROXY: Transparent proxy support initialized, version
4.1.0
[ 21.319884] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.

and squid.conf has

http_port 3128
http_port 3129 tproxy

i have compiled squid with these settings
./configure --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3
--mandir=/usr/share/man --localstatedir=/var --with-logdir=/var/log/squid
--prefix=/usr --enable-inline --enable-async-io=8
--enable-storeio="ufs,aufs" --enable-removal-policies="lru,heap"
--enable-delay-pools --enable-cache-digests --enable-underscores
--enable-icap-client --enable-follow-x-forwarded-for
--with-filedescriptors=65536 --with-default-user=proxy --enable-large-files
--enable-linux-netfilter
and squid is 3.1.0.7

the debug_options ALL,1 89,6 output is like when we have not debug_options
at all !!

i had tproxy with my custom kernels but upgraded to Ubuntu 9.04 (Jaunty) to
prevent custom compiling of kernel and iptables but it does not work

Amos Jeffries-2 wrote:
>
> rihad wrote:
>> Looks like I'm the only one trying to use TProxy? Somebody else, please?
>> To summarize: Squid does NOT spoof client's IP address when initiating
>> connections on its own. Just as if there weren't a thing named "TProxy".
>
> We have had a fair few trying it with complete success when its the only
> thing used. This kind of thing seems to crop up with WCCP, for you and
> one other.
>
> I'm not sure yet what the problem seems to be. Can you check your
> cache.log for messages about "Stopping full transparency", the rest of
> the message says why. I've updated the wiki troubleshooting section to
> list the messages that appear when tproxy is turned off automatically
> and what needs to be done to fix it.
>
> If you can't see any of those please can you set:
> debug_options ALL,1 89,6
>
> to see whats going on?
>
> I know the squid->client link should be 100% spoofed. I'm not fully
> certain the quid->server link is actually spoofed in all cases. Though
> one report indicates it may be, I have not been able to test it locally
> yet.
>
>
> Amos
>
>
>>
>> Original message follows (not to be confused with top-posting):
>>
>>> Hello, I'm trying to get TProxy 4.1 to work as outlined here:
>>> http://wiki.squid-cache.org/Features/Tproxy4
>>> namely under Ubuntu 9.04 stable/testing mix with the following:
>>> linux-image-2.6.28-11-server 2.6.28-11.42
>>> iptables 1.4.3.2-2ubuntu1
>>> squid-3.1.0.7.tar.bz2 from original sources
>>>
>>> Squid has been built this way:
>>> $ /usr/local/squid/sbin/squid -v
>>> Squid Cache: Version 3.1.0.7
>>> configure options: '--enable-linux-netfilter'
>>> --with-squid=/home/guessed/squid-3.1.0.7 --enable-ltdl-convenience
>>> (myself I only gave it --enable-linux-netfilter)
>>>
>>> squid.conf is pretty much whatever 'make install' created, with my
>>> changes given at the end, after the blank line:
>>>
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32
>>> acl to_localhost dst 127.0.0.0/8
>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localnet
>>> http_access deny all
>>> http_port 3128
>>> hierarchy_stoplist cgi-bin ?
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>> coredump_dir /usr/local/squid/var/cache
>>>
>>> cache_dir ufs /usr/local/squid/var/cache 100 16 256
>>> cache_mem 16 MB
>>> http_port 3129 tproxy
>>> visible_hostname tproxy
>>>
>>> Then I did:
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>
>>> #Use DIVERT to prevent existing connections going through TPROXY twice:
>>>
>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>
>>> #Mark all other (new) packets and use TPROXY to pass into Squid:
>>>
>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>
>>>
>>> ip rule add fwmark 1 lookup 100
>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>
>>> #On each boot startup set:
>>>
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>
>>> ran squid -z and launched squid.
>>>
>>> My topology:
>>> desktop where I sit: one link has address 192.168.0.1/24, the other to
>>> the Internet
>>> Squid box: one link: 192.168.0.184/24 (bridged VMware interface on the
>>> same box as desktop), the other link is custom VMware interface
>>> 192.168.1.1/24
>>> The "client" box: single interface 192.168.1.2/24
>>>
>>> So, the squid box is directly connected to the outside on the one side,
>>> and to the client on the other. My desktop's routing knows to reach the
>>> client through the Squid box, and vice versa, so the port 80 traffic
>>> under consideration flows through the Squid box in both ways.
>>>
>>> Now, after I do this on the "client":
>>> $ telnet 192.168.0.1 80
>>> GET / HTTP/1.0
>>>
>>> (correct webpage output)
>>> Connection closed by foreign host.
>>>
>>> Nevertheless, in 192.168.0.1's webserver's logs I can see 192.168.0.184
>>> connecting, not the TProxied 192.168.1.2, as if working under the plain
>>> ole interception proxying I've been trying to get rid of!
>>>
>>> Why?! Counters on the Squid box do get bumped:
>>>
>>> $ sudo iptables -t mangle -L -v -n
>>> Chain PREROUTING (policy ACCEPT 163 packets, 21851 bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 2274 214K DIVERT tcp -- * * 0.0.0.0/0
>>> 0.0.0.0/0 socket
>>> 16 920 TPROXY tcp -- * * 0.0.0.0/0
>>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
>>>
>>> ...
>>>
>>> Chain DIVERT (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 2274 214K MARK all -- * * 0.0.0.0/0
>>> 0.0.0.0/0 MARK xset 0x1/0xffffffff
>>> 2274 214K ACCEPT all -- * * 0.0.0.0/0
>>> 0.0.0.0/0
>>>
>>>
>>> Thanks for any tips.
>>>
>>>
>>>
>>>
>>
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
> Current Beta Squid 3.1.0.7
>
>

-- 
View this message in context: http://www.nabble.com/TProxy-not-faking-source-address.-tp23544464p23586441.html
Sent from the Squid - Users mailing list archive at Nabble.com.