Re: [squid-users] FW: Re[2]: squid with tproxy from Amos Jeffries on 2009-05-28 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 29 May 2009 13:44:17 +1200

7441122 wrote:
> I have gone through http://wiki.squid-cache.org/Features/Tproxy4 done
> all as required.
>
> initially we had squid as gateway, but now i want to use wccp, is
> tehre any how to on this one ?

Not specifically for the new TPROXY. I've been watching for one. People
who are familiar with WCCP seem not to have any trouble using the old
wiki examples with new TPROXY. People who are not such experts seem not
to be able to get it going no matter what they try.
The old stuff is at http://wiki.squid-cache.org/ConfigExamples/Intercept

If you (or anyone) know about WCCP and TPROXY and want to experiment and
find out what the issues are. Please go ahead and feedback ANY
differences you find no matter how small, good or bad.

Amos

>
> many thanks.
>
>
>
> On Thu, May 28, 2009 at 4:13 AM, <squid3_at_treenet.co.nz> wrote:
>> On Wed, 27 May 2009 12:06:25 -0500, "Ritter, Nicholas"
>> <Nicholas.Ritter_at_americantv.com> wrote:
>>> ________________________________________
>>> From: Ritter, Nicholas
>>> Sent: Wednesday, May 27, 2009 12:04 PM
>>> To: 'Manish P. Govindji'
>>> Subject: RE: Re[2]: squid with tproxy
>>>
>>> I remember something important....if you are using a more recent version
>> of
>>> TPROXY then what is stated in the squid wiki article....I think the
>> method
>>> by which TPROXY is configured in iptables changed a bit to make it more
>> to
>>> the liking of the netfilter and kernel developers in an effort to get the
>>> TPROXY code included into the netfilter and kernel release code.
>>>
>>> My setup and the wiki article I wrote are from before these changes, and
>> I
>>> have not worked with TPROXY since, so that could be the issue here. I
>> have
>>> not downloaded the latest TPROXY code to be sure though. And I think I
>>> might have actually seen TPROXY as included in the most recent (ie:
>> 2.6.29)
>>> kernel as experimental.
>> Yes TPROXYv4 is now available in a public release of all involved
>> softwares.
>> The kernel code changed somewhat during their formal merge, and squid code
>> had to change a lot to accommodate the fixes. So Squid may not work
>> properly with the Balabit patches for older kernels.
>>
>> The TPROXYv4 features page contains the minimum versions of kernel,
>> iptables, libcap, and Squid needed for this to work.
>> http://wiki.squid-cache.org/Features/Tproxy4
>>
>> Amos
>>
>>> I have been meaning to setup a new squid/tproxy system, and update the
>> wiki
>>> article...just have not gotten to it yet. I suggest taking a look at the
>>> readme with the latest tproxy source code, or even looking at your kernel
>>> config to see which tproxy version is being used. If you do a dmesg
>> command
>>> and look for the TProxy module loading, I think it tells you what version
>>> it is.
>>>
>>> Nick
>>>
>>> ________________________________________
>>> From: Manish P. Govindji [mailto:manish_at_mcc.co.tz]
>>> Sent: Wednesday, May 27, 2009 11:43 AM
>>> To: Ritter, Nicholas
>>> Cc: squid-users
>>> Subject: Re[2]: squid with tproxy
>>>
>>>
>>> Thanks a lot for reply, i am already tired pulling my hairs for this one.
>>>
>>> Sorry, typo its 3128.
>>>
>>> I do not have the file, /etc/sysconfig/iptables I use iptables in
>> rc.local
>>> #####################
>>>
>>> #Increase Squid file Descriptors
>>> ulimit -HSn 30720
>>>
>>> #Start caches
>>> /usr/sbin/squid
>>>
>>> #Enable Forwarding
>>> echo '1' > /proc/sys/net/ipv4/ip_forward
>>>
>>> #disable rp_filter
>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>>
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>
>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>> --tproxy-mark
>>> 0x1/0x1 --on-port 3129
>>>
>>> ip rule add fwmark 1 lookup 100
>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>
>>> # defe! nces
>>> iptables -A FORWARD -p tcp --syn -m limit -j ACCEPT
>>> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
>>> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit
>>>
>>> #Allow established sessions to continue
>>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>
>>>
>>> ########################
>>>
>>> I am using squid as gateway, all the pc are on public IP and Squid is
>> also
>>> on public IP as Gateway PC. ( was working as transparent cache, but
>> wanted
>>> to use the Tproxy )
>>>
>>> Rgds,
>>>
>>> ________________________________________
>>> -----Original Message-----
>>> From: "Ritter, Nicholas" <Nicholas.Ritter_at_americantv.com>
>>> To: "Manish govindji" <manish_at_mcc.co.tz>
>>> Cc: "squid-users" <squid-users_at_squid-cache.org>
>>> Date: 27-05-2009 18:47
>>> Subject: RE: squid with tproxy
>>> Port 3128, or 1328? The default port is 3128, but is configurable.
>>>
>>>
>>> Your rules are not right...you are marking, as you should, but not
>>> redirecting to the squid port. In addition to sending the output of the
>> raw
>>> iptables command, send the contents of /etc/sysconfig/iptables.
>>>
>>> I think the problem is partly in the rules setup. Are you using wccp as
>>> well, and/or a gre interface?
>>>
>>> Also, make sure you have Full NAT enabled in the kernel. Looks like that
>> is
>>> ok though.
>>>
>>>
>>> ________________________________________
>>> From:Manish govindji [mailto:manish_at_mcc.co.tz]
>>> Sent: Wednesday, May 27, 2009 6:06 AM
>>> To: Nicholas.Ritter_at_americantv.com
>>> Subject: squid with tproxy
>>>
>>> Hello Nicholas,
>>>
>>> I have been trying to compile squid with tproxy but am failing, have
>>> searched all over google but nothing of help.
>>>
>>> I have centos 5.3, installed custom kernel 2.6.28, and iptables 1.4.3,
>>> squid 3.1
>>>
>>> In compiling the custom kernel, i copied the old config and added the
>> below
>>> :-
>>>
>>> NF_CONNTRACK
>>> NETFILTER_TPROXY
>>> NETFILTER_XT_MATCH_SOCKET
>>> NETFILTER_XT_TARGET_TPROXY
>>>
>>> When i do iptables stat :-
>>>
>>> [root_at_gateway ~]# iptables -t mangle -L -v -n
>>> Chain PREROUTING (policy ACCEPT 5768K packets, 1538M bytes)
>>> pkts bytes target prot opt in out
>>> source destination
>>>
>>> Chain INPUT (policy ACCEPT 1494K packets, 892M bytes)
>>> pkts bytes target prot opt in out
>>> source destination
>>>
>>> Chain FORWARD (policy ACCEPT 4234K packets, 638M bytes)
>>> pkts bytes target prot opt in out
>>> source destination
>>>
>>> Chain OUTPUT (policy ACCEPT 2398K packets, 1027M bytes)
>>> pkts bytes target prot opt in out
>>> source destination
>>>
>>> Chain POSTROUTING (policy ACCEPT 6632K packets, 1665M bytes)
>>> pkts bytes target prot opt in out
>>> source destination
>>>
>>> Chain DIVERT (0 references)
>>> pkts bytes target prot opt in out
>>> source destination
>>> 0 0 MARK all -- * *
>>> 0.0.0.0/0 0.0.0.0/0 MARK xor 0x1
>>> 0 0 ACCEPT all -- * *
>>> 0.0.0.0/0 0.0.0.0/0
>>>
>>> The packets do not get to squid, on port 1328, even if i kill squid pc
>> can
>>> still browse.
>>>
>>> Can you help ? if i am missing a step of something is not right, have
>>> followed the latest steps in wiki.
>>>
>>>
>>> Rgds,
>>>
>>> Manish.
>>>
>>>
>>>
>>>
>>>
>>> $=========================$
>>> Manish P. Govindji.
>>> Modern Computer Centre Ltd.
>>> P. O. Box 4225, Zanzibar, Tanzania.
>>> tel: +255.24.2235928 / 9, fax: +255.24.2230343
>>> manish_at_mcc.co.tz
>>> ................................
>>> "Every man dies. Not every man lives."

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1

Received on Fri May 29 2009 - 01:44:23 MDT

This archive was generated by hypermail 2.2.0 : Fri May 29 2009 - 12:00:02 MDT