FW: [squid-users] Tproxy Help // Transparent works fine from Alexandre DeAraujo on 2009-06-16 (squid-users)

From: Alexandre DeAraujo <alexd_at_cal.net>
Date: Tue, 16 Jun 2009 17:06:19 -0700

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Monday, June 15, 2009 9:21 PM
To: Alexandre DeAraujo
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Tproxy Help // Transparent works fine

>Should just be an upgrade Squid to 3.1 release and follow the instructions at:
>http://wiki.squid-cache.org/Features/Tproxy4
>Amos

I downloaded and installed squid-3.1.0.8.tar.gz with the configure build option '--enable-linux-netfilter'.
Made sure squid.conf was configured with
http_port 3128
http_port 3129 tproxy

The following modules are enabled on the kernel config file:
NF_CONNTRACK
NETFILTER_TPROXY
NETFILTER_XT_MATCH_SOCKET
NETFILTER_XT_TARGET_TPROXY

After typing the following lines:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

my iptables-save output:
# Generated by iptables-save v1.4.3.2 on Tue Jun 16 16:16:27 2009
*nat
:PREROUTING ACCEPT [33:2501]
:POSTROUTING ACCEPT [1:76]
:OUTPUT ACCEPT [1:76]
-A PREROUTING -i wccp2 -p tcp -j REDIRECT --to-ports 3128
COMMIT
# Completed on Tue Jun 16 16:16:27 2009
# Generated by iptables-save v1.4.3.2 on Tue Jun 16 16:16:27 2009
*mangle
:PREROUTING ACCEPT [35:2653]
:INPUT ACCEPT [158:8713]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [123:11772]
:POSTROUTING ACCEPT [123:11772]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT
# Completed on Tue Jun 16 16:16:27 2009

Then I entered the following lines:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_forward

Client could not browse after that. I see the connections coming in with tcpdump, but all connections just timeout

ps. after compiling squid-3.1.0.8, I did a search for 'tproxy' on the console screen and found this line:
checking for linux/netfilter_ipv4/ip_tproxy.h... no
I don’t know if this would have anything to do with it..

Thanks,

Alex
Received on Wed Jun 17 2009 - 00:06:30 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 17 2009 - 12:00:04 MDT