Re: [squid-users] TProxy not faking source address.

I solved the problem . I have installed

aptitude install libcap2 libcap2-dev

and then recompiled squid and tproxy problem solved.
Thank you Amos for http://wiki.squid-cache.org/Features/Tproxy4 . please
also edit troubleshooting section for Ubuntu 9.04 (Jaunty) users to install
libcap2 libcap2-dev before compiling squid .
AFAIK the simplest way to running the TPROXY is in Ubuntu 9.04 (Jaunty) .

Amos Jeffries-2 wrote:
>
>>
>> Another thing maybe helpful
>> when i enable
>> http_port 3128 intercept
>> in squid.conf , following message appears in cache.log
>>
>> cache squid[14701]: IpIntercept.cc(132) NetfilterInterception: NF
>> getsockopt(SO_ORIGINAL_DST) failed on FD 24: (11) Resource temporarily
>> unavailable
>>
>
> I'm aware of that. 'intercept' is a NAT lookup, will throw up errors on
> any non-NAT input. 'tproxy' is a spoofed SOCKET lookup.
>
> I don't think any of the basic Ubuntu kernels have the TPROXY options set
> yet. That would account for your custom ones working but the general
> kernels not.
>
> Amos
>
>>
>>
>> Omid Kosari wrote:
>>>
>>> I have Ubuntu 9.04 (Jaunty) but also squid->client spoofing does not
>>> work
>>> . it shows squid's ip in tproxy mode .
>>>
>>> dmesg shows
>>> [ 21.186636] ip_tables: (C) 2000-2006 Netfilter Core Team
>>> [ 21.319881] NF_TPROXY: Transparent proxy support initialized, version
>>> 4.1.0
>>> [ 21.319884] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
>>>
>>> and squid.conf has
>>>
>>> http_port 3128
>>> http_port 3129 tproxy
>>>
>>> i have compiled squid with these settings
>>> ./configure --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3
>>> --mandir=/usr/share/man --localstatedir=/var
>>> --with-logdir=/var/log/squid
>>> --prefix=/usr --enable-inline --enable-async-io=8
>>> --enable-storeio="ufs,aufs" --enable-removal-policies="lru,heap"
>>> --enable-delay-pools --enable-cache-digests --enable-underscores
>>> --enable-icap-client --enable-follow-x-forwarded-for
>>> --with-filedescriptors=65536 --with-default-user=proxy
>>> --enable-large-files --enable-linux-netfilter
>>> and squid is 3.1.0.7
>>>
>>> the debug_options ALL,1 89,6 output is like when we have not
>>> debug_options
>>> at all !!
>>>
>>> i had tproxy with my custom kernels but upgraded to Ubuntu 9.04 (Jaunty)
>>> to prevent custom compiling of kernel and iptables but it does not work
>>>
>>>
>>>
>>> Amos Jeffries-2 wrote:
>>>>
>>>> rihad wrote:
>>>>> Looks like I'm the only one trying to use TProxy? Somebody else,
>>>>> please?
>>>>> To summarize: Squid does NOT spoof client's IP address when initiating
>>>>> connections on its own. Just as if there weren't a thing named
>>>>> "TProxy".
>>>>
>>>> We have had a fair few trying it with complete success when its the
>>>> only
>>>> thing used. This kind of thing seems to crop up with WCCP, for you and
>>>> one other.
>>>>
>>>> I'm not sure yet what the problem seems to be. Can you check your
>>>> cache.log for messages about "Stopping full transparency", the rest of
>>>> the message says why. I've updated the wiki troubleshooting section to
>>>> list the messages that appear when tproxy is turned off automatically
>>>> and what needs to be done to fix it.
>>>>
>>>> If you can't see any of those please can you set:
>>>> debug_options ALL,1 89,6
>>>>
>>>> to see whats going on?
>>>>
>>>> I know the squid->client link should be 100% spoofed. I'm not fully
>>>> certain the quid->server link is actually spoofed in all cases. Though
>>>> one report indicates it may be, I have not been able to test it locally
>>>> yet.
>>>>
>>>>
>>>> Amos
>>>>
>>>>
>>>>>
>>>>> Original message follows (not to be confused with top-posting):
>>>>>
>>>>>> Hello, I'm trying to get TProxy 4.1 to work as outlined here:
>>>>>> http://wiki.squid-cache.org/Features/Tproxy4
>>>>>> namely under Ubuntu 9.04 stable/testing mix with the following:
>>>>>> linux-image-2.6.28-11-server 2.6.28-11.42
>>>>>> iptables 1.4.3.2-2ubuntu1
>>>>>> squid-3.1.0.7.tar.bz2 from original sources
>>>>>>
>>>>>> Squid has been built this way:
>>>>>> $ /usr/local/squid/sbin/squid -v
>>>>>> Squid Cache: Version 3.1.0.7
>>>>>> configure options: '--enable-linux-netfilter'
>>>>>> --with-squid=/home/guessed/squid-3.1.0.7 --enable-ltdl-convenience
>>>>>> (myself I only gave it --enable-linux-netfilter)
>>>>>>
>>>>>> squid.conf is pretty much whatever 'make install' created, with my
>>>>>> changes given at the end, after the blank line:
>>>>>>
>>>>>> acl manager proto cache_object
>>>>>> acl localhost src 127.0.0.1/32
>>>>>> acl to_localhost dst 127.0.0.0/8
>>>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>>>> acl SSL_ports port 443
>>>>>> acl Safe_ports port 80 # http
>>>>>> acl Safe_ports port 21 # ftp
>>>>>> acl Safe_ports port 443 # https
>>>>>> acl Safe_ports port 70 # gopher
>>>>>> acl Safe_ports port 210 # wais
>>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>>> acl Safe_ports port 280 # http-mgmt
>>>>>> acl Safe_ports port 488 # gss-http
>>>>>> acl Safe_ports port 591 # filemaker
>>>>>> acl Safe_ports port 777 # multiling http
>>>>>> acl CONNECT method CONNECT
>>>>>> http_access allow manager localhost
>>>>>> http_access deny manager
>>>>>> http_access deny !Safe_ports
>>>>>> http_access deny CONNECT !SSL_ports
>>>>>> http_access allow localnet
>>>>>> http_access deny all
>>>>>> http_port 3128
>>>>>> hierarchy_stoplist cgi-bin ?
>>>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>>>> refresh_pattern . 0 20% 4320
>>>>>> coredump_dir /usr/local/squid/var/cache
>>>>>>
>>>>>> cache_dir ufs /usr/local/squid/var/cache 100 16 256
>>>>>> cache_mem 16 MB
>>>>>> http_port 3129 tproxy
>>>>>> visible_hostname tproxy
>>>>>>
>>>>>> Then I did:
>>>>>> iptables -t mangle -N DIVERT
>>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>>>>
>>>>>> #Use DIVERT to prevent existing connections going through TPROXY
>>>>>> twice:
>>>>>>
>>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>>>
>>>>>> #Mark all other (new) packets and use TPROXY to pass into Squid:
>>>>>>
>>>>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>>>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>>>>
>>>>>>
>>>>>> ip rule add fwmark 1 lookup 100
>>>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>>>>
>>>>>> #On each boot startup set:
>>>>>>
>>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>>>
>>>>>> ran squid -z and launched squid.
>>>>>>
>>>>>> My topology:
>>>>>> desktop where I sit: one link has address 192.168.0.1/24, the other
>>>>>> to
>>>>>> the Internet
>>>>>> Squid box: one link: 192.168.0.184/24 (bridged VMware interface on
>>>>>> the
>>>>>> same box as desktop), the other link is custom VMware interface
>>>>>> 192.168.1.1/24
>>>>>> The "client" box: single interface 192.168.1.2/24
>>>>>>
>>>>>> So, the squid box is directly connected to the outside on the one
>>>>>> side,
>>>>>> and to the client on the other. My desktop's routing knows to reach
>>>>>> the
>>>>>> client through the Squid box, and vice versa, so the port 80 traffic
>>>>>> under consideration flows through the Squid box in both ways.
>>>>>>
>>>>>> Now, after I do this on the "client":
>>>>>> $ telnet 192.168.0.1 80
>>>>>> GET / HTTP/1.0
>>>>>>
>>>>>> (correct webpage output)
>>>>>> Connection closed by foreign host.
>>>>>>
>>>>>> Nevertheless, in 192.168.0.1's webserver's logs I can see
>>>>>> 192.168.0.184
>>>>>> connecting, not the TProxied 192.168.1.2, as if working under the
>>>>>> plain
>>>>>> ole interception proxying I've been trying to get rid of!
>>>>>>
>>>>>> Why?! Counters on the Squid box do get bumped:
>>>>>>
>>>>>> $ sudo iptables -t mangle -L -v -n
>>>>>> Chain PREROUTING (policy ACCEPT 163 packets, 21851 bytes)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>> 2274 214K DIVERT tcp -- * * 0.0.0.0/0
>>>>>> 0.0.0.0/0 socket
>>>>>> 16 920 TPROXY tcp -- * * 0.0.0.0/0
>>>>>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
>>>>>> 0x1/0x1
>>>>>>
>>>>>> ...
>>>>>>
>>>>>> Chain DIVERT (1 references)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>> 2274 214K MARK all -- * * 0.0.0.0/0
>>>>>> 0.0.0.0/0 MARK xset 0x1/0xffffffff
>>>>>> 2274 214K ACCEPT all -- * * 0.0.0.0/0
>>>>>> 0.0.0.0/0
>>>>>>
>>>>>>
>>>>>> Thanks for any tips.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Please be using
>>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
>>>> Current Beta Squid 3.1.0.7
>>>>
>>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/TProxy-not-faking-source-address.-tp23544464p23586637.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>>
>>
>
>
>
>

-- 
View this message in context: http://www.nabble.com/TProxy-not-faking-source-address.-tp23544464p23591654.html
Sent from the Squid - Users mailing list archive at Nabble.com.