Re: [squid-users] FW: Re[2]: squid with tproxy

On Wed, 27 May 2009 12:06:25 -0500, "Ritter, Nicholas"
<Nicholas.Ritter_at_americantv.com> wrote:
> ________________________________________
> From: Ritter, Nicholas
> Sent: Wednesday, May 27, 2009 12:04 PM
> To: 'Manish P. Govindji'
> Subject: RE: Re[2]: squid with tproxy
>
> I remember something important....if you are using a more recent version
of
> TPROXY then what is stated in the squid wiki article....I think the
method
> by which TPROXY is configured in iptables changed a bit to make it more
to
> the liking of the netfilter and kernel developers in an effort to get the
> TPROXY code included into the netfilter and kernel release code.
>
> My setup and the wiki article I wrote are from before these changes, and
I
> have not worked with TPROXY since, so that could be the issue here. I
have
> not downloaded the latest TPROXY code to be sure though. And I think I
> might have actually seen TPROXY as included in the most recent (ie:
2.6.29)
> kernel as experimental.

Yes TPROXYv4 is now available in a public release of all involved
softwares.
The kernel code changed somewhat during their formal merge, and squid code
had to change a lot to accommodate the fixes. So Squid may not work
properly with the Balabit patches for older kernels.

The TPROXYv4 features page contains the minimum versions of kernel,
iptables, libcap, and Squid needed for this to work.
http://wiki.squid-cache.org/Features/Tproxy4

Amos

>
> I have been meaning to setup a new squid/tproxy system, and update the
wiki
> article...just have not gotten to it yet. I suggest taking a look at the
> readme with the latest tproxy source code, or even looking at your kernel
> config to see which tproxy version is being used. If you do a dmesg
command
> and look for the TProxy module loading, I think it tells you what version
> it is.
>
> Nick
>
> ________________________________________
> From: Manish P. Govindji [mailto:manish_at_mcc.co.tz]
> Sent: Wednesday, May 27, 2009 11:43 AM
> To: Ritter, Nicholas
> Cc: squid-users
> Subject: Re[2]: squid with tproxy
>
>
> Thanks a lot for reply, i am already tired pulling my hairs for this one.
>
> Sorry, typo its 3128.
>
> I do not have the file, /etc/sysconfig/iptables I use iptables in
rc.local
>
> #####################
>
> #Increase Squid file Descriptors
> ulimit -HSn 30720
>
> #Start caches
> /usr/sbin/squid
>
> #Enable Forwarding
> echo '1' > /proc/sys/net/ipv4/ip_forward
>
> #disable rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark
> 0x1/0x1 --on-port 3129
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> # defe! nces
> iptables -A FORWARD -p tcp --syn -m limit -j ACCEPT
> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit
>
> #Allow established sessions to continue
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> ########################
>
> I am using squid as gateway, all the pc are on public IP and Squid is
also
> on public IP as Gateway PC. ( was working as transparent cache, but
wanted
> to use the Tproxy )
>
> Rgds,
>
> ________________________________________
> -----Original Message-----
> From: "Ritter, Nicholas" <Nicholas.Ritter_at_americantv.com>
> To: "Manish govindji" <manish_at_mcc.co.tz>
> Cc: "squid-users" <squid-users_at_squid-cache.org>
> Date: 27-05-2009 18:47
> Subject: RE: squid with tproxy
> Port 3128, or 1328? The default port is 3128, but is configurable.
>
>
> Your rules are not right...you are marking, as you should, but not
> redirecting to the squid port. In addition to sending the output of the
raw
> iptables command, send the contents of /etc/sysconfig/iptables.
>
> I think the problem is partly in the rules setup. Are you using wccp as
> well, and/or a gre interface?
>
> Also, make sure you have Full NAT enabled in the kernel. Looks like that
is
> ok though.
>
>
> ________________________________________
> From:Manish govindji [mailto:manish_at_mcc.co.tz]
> Sent: Wednesday, May 27, 2009 6:06 AM
> To: Nicholas.Ritter_at_americantv.com
> Subject: squid with tproxy
>
> Hello Nicholas,
>
> I have been trying to compile squid with tproxy but am failing, have
> searched all over google but nothing of help.
>
> I have centos 5.3, installed custom kernel 2.6.28, and iptables 1.4.3,
> squid 3.1
>
> In compiling the custom kernel, i copied the old config and added the
below
> :-
>
> NF_CONNTRACK
> NETFILTER_TPROXY
> NETFILTER_XT_MATCH_SOCKET
> NETFILTER_XT_TARGET_TPROXY
>
> When i do iptables stat :-
>
> [root_at_gateway ~]# iptables -t mangle -L -v -n
> Chain PREROUTING (policy ACCEPT 5768K packets, 1538M bytes)
> pkts bytes target prot opt in out
> source destination
>
> Chain INPUT (policy ACCEPT 1494K packets, 892M bytes)
> pkts bytes target prot opt in out
> source destination
>
> Chain FORWARD (policy ACCEPT 4234K packets, 638M bytes)
> pkts bytes target prot opt in out
> source destination
>
> Chain OUTPUT (policy ACCEPT 2398K packets, 1027M bytes)
> pkts bytes target prot opt in out
> source destination
>
> Chain POSTROUTING (policy ACCEPT 6632K packets, 1665M bytes)
> pkts bytes target prot opt in out
> source destination
>
> Chain DIVERT (0 references)
> pkts bytes target prot opt in out
> source destination
> 0 0 MARK all -- * *
> 0.0.0.0/0 0.0.0.0/0 MARK xor 0x1
> 0 0 ACCEPT all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
> The packets do not get to squid, on port 1328, even if i kill squid pc
can
> still browse.
>
> Can you help ? if i am missing a step of something is not right, have
> followed the latest steps in wiki.
>
>
> Rgds,
>
> Manish.
>
>
>
>
>
> $=========================$
> Manish P. Govindji.
> Modern Computer Centre Ltd.
> P. O. Box 4225, Zanzibar, Tanzania.
> tel: +255.24.2235928 / 9, fax: +255.24.2230343
> manish_at_mcc.co.tz
> ................................
> "Every man dies. Not every man lives."
Received on Thu May 28 2009 - 01:13:29 MDT