Re: FW: [squid-users] Tproxy Help // Transparent works fine

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 17 Jun 2009 12:31:17 +1200

On Tue, 16 Jun 2009 17:06:19 -0700, "Alexandre DeAraujo" <alexd_at_cal.net>
wrote:
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Monday, June 15, 2009 9:21 PM
> To: Alexandre DeAraujo
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Tproxy Help // Transparent works fine
>
>>Should just be an upgrade Squid to 3.1 release and follow the
instructions
>>at:
>>http://wiki.squid-cache.org/Features/Tproxy4
>>Amos
>
> I downloaded and installed squid-3.1.0.8.tar.gz with the configure build
> option '--enable-linux-netfilter'.
> Made sure squid.conf was configured with
> http_port 3128
> http_port 3129 tproxy
>
> The following modules are enabled on the kernel config file:
> NF_CONNTRACK
> NETFILTER_TPROXY
> NETFILTER_XT_MATCH_SOCKET
> NETFILTER_XT_TARGET_TPROXY
>
> After typing the following lines:
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark
> 0x1/0x1 --on-port 3129
>
> my iptables-save output:
> # Generated by iptables-save v1.4.3.2 on Tue Jun 16 16:16:27 2009
> *nat
> :PREROUTING ACCEPT [33:2501]
> :POSTROUTING ACCEPT [1:76]
> :OUTPUT ACCEPT [1:76]
> -A PREROUTING -i wccp2 -p tcp -j REDIRECT --to-ports 3128
> COMMIT
> # Completed on Tue Jun 16 16:16:27 2009
> # Generated by iptables-save v1.4.3.2 on Tue Jun 16 16:16:27 2009
> *mangle
> :PREROUTING ACCEPT [35:2653]
> :INPUT ACCEPT [158:8713]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [123:11772]
> :POSTROUTING ACCEPT [123:11772]
> :DIVERT - [0:0]
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip
> 0.0.0.0 --tproxy-mark 0x1/0x1
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j ACCEPT
> COMMIT
> # Completed on Tue Jun 16 16:16:27 2009
>
> Then I entered the following lines:
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> Client could not browse after that. I see the connections coming in with
> tcpdump, but all connections just timeout
>
> ps. after compiling squid-3.1.0.8, I did a search for 'tproxy' on the
> console screen and found this line:
> checking for linux/netfilter_ipv4/ip_tproxy.h... no
> I don’t know if this would have anything to do with it..

No. that is just squid build scripts checking that you need tproxy4 instead
of tproxy2.

Does access.log say anything is arriving at Squid?
Are you able to track the packets anywhere else?

Amos
Received on Wed Jun 17 2009 - 00:31:24 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 17 2009 - 12:00:04 MDT