[squid-users] FW: Re[2]: squid with tproxy

From: Ritter, Nicholas <Nicholas.Ritter_at_americantv.com>
Date: Wed, 27 May 2009 12:06:25 -0500

________________________________________
From: Ritter, Nicholas
Sent: Wednesday, May 27, 2009 12:04 PM
To: 'Manish P. Govindji'
Subject: RE: Re[2]: squid with tproxy

I remember something important....if you are using a more recent version of TPROXY then what is stated in the squid wiki article....I think the method by which TPROXY is configured in iptables changed a bit to make it more to the liking of the netfilter and kernel developers in an effort to get the TPROXY code included into the netfilter and kernel release code.

My setup and the wiki article I wrote are from before these changes, and I have not worked with TPROXY since, so that could be the issue here. I have not downloaded the latest TPROXY code to be sure though. And I think I might have actually seen TPROXY as included in the most recent (ie: 2.6.29) kernel as experimental.

I have been meaning to setup a new squid/tproxy system, and update the wiki article...just have not gotten to it yet. I suggest taking a look at the readme with the latest tproxy source code, or even looking at your kernel config to see which tproxy version is being used. If you do a dmesg command and look for the TProxy module loading, I think it tells you what version it is.

Nick

________________________________________
From: Manish P. Govindji [mailto:manish_at_mcc.co.tz]
Sent: Wednesday, May 27, 2009 11:43 AM
To: Ritter, Nicholas
Cc: squid-users
Subject: Re[2]: squid with tproxy

Thanks a lot for reply, i am already tired pulling my hairs for this one.

Sorry, typo its 3128.

I do not have the file, /etc/sysconfig/iptables I use iptables in rc.local

#####################

#Increase Squid file Descriptors
ulimit -HSn 30720

#Start caches
/usr/sbin/squid

#Enable Forwarding
echo '1' > /proc/sys/net/ipv4/ip_forward

#disable rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

# defe! nces
iptables -A FORWARD -p tcp --syn -m limit -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit

#Allow established sessions to continue
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

########################

I am using squid as gateway, all the pc are on public IP and Squid is also on public IP as Gateway PC. ( was working as transparent cache, but wanted to use the Tproxy )

Rgds,

________________________________________
-----Original Message-----
From: "Ritter, Nicholas" <Nicholas.Ritter_at_americantv.com>
To: "Manish govindji" <manish_at_mcc.co.tz>
Cc: "squid-users" <squid-users_at_squid-cache.org>
Date: 27-05-2009 18:47
Subject: RE: squid with tproxy
Port 3128, or 1328? The default port is 3128, but is configurable.
 
 
Your rules are not right...you are marking, as you should, but not redirecting to the squid port. In addition to sending the output of the raw iptables command, send the contents of /etc/sysconfig/iptables.
 
I think the problem is partly in the rules setup. Are you using wccp as well, and/or a gre interface?
 
Also, make sure you have Full NAT enabled in the kernel. Looks like that is ok though.
 
 
________________________________________
From:Manish govindji [mailto:manish_at_mcc.co.tz]
Sent: Wednesday, May 27, 2009 6:06 AM
To: Nicholas.Ritter_at_americantv.com
Subject: squid with tproxy
 
Hello Nicholas,
 
I have been trying to compile squid with tproxy but am failing, have searched all over google but nothing of help.
 
I have centos 5.3, installed custom kernel 2.6.28, and iptables 1.4.3, squid 3.1
 
In compiling the custom kernel, i copied the old config and added the below :-
 
NF_CONNTRACK
NETFILTER_TPROXY
NETFILTER_XT_MATCH_SOCKET
NETFILTER_XT_TARGET_TPROXY
 
When i do iptables stat :-
 
[root_at_gateway ~]# iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 5768K packets, 1538M bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
Chain INPUT (policy ACCEPT 1494K packets, 892M bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
Chain FORWARD (policy ACCEPT 4234K packets, 638M bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
Chain OUTPUT (policy ACCEPT 2398K packets, 1027M bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
Chain POSTROUTING (policy ACCEPT 6632K packets, 1665M bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
Chain DIVERT (0 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK xor 0x1
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
 
The packets do not get to squid, on port 1328, even if i kill squid pc can still browse.
 
Can you help ? if i am missing a step of something is not right, have followed the latest steps in wiki.
 
 
Rgds,
 
Manish.
 

$=========================$
Manish P. Govindji.
Modern Computer Centre Ltd.
P. O. Box 4225, Zanzibar, Tanzania.
tel: +255.24.2235928 / 9, fax: +255.24.2230343
manish_at_mcc.co.tz
................................
"Every man dies. Not every man lives."
Received on Wed May 27 2009 - 17:06:43 MDT

This archive was generated by hypermail 2.2.0 : Fri May 29 2009 - 12:00:02 MDT