[squid-users] TPROXY 4

From: Farhad Ibragimov <inara.ibragimova_at_gmail.com>
Date: Mon, 31 Aug 2009 01:00:46 +0500

Hello ,

I am having some trouble redirecting port 80 traffic to 3129 using
tproxy for transparent proxying.
The SYNs come in but there is no SYN-ACK going out.

Please help me !!!!!

My server have only one single interface with global ip addresses wich
connect directly to the internet

Detailed information from my server

#######################################################################
###############
 Squid Cache: Version 3.1.0.13
configure options: '--enable-linux-netfilter' '--prefix=/squid/' --with-squid=/src/squid-3.1.0.13 --enable-ltdl-convenience
[root_at_proxymain sysconfig]# cat /squid/etc/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl test src 85.132.47.0/24
acl test2 src 85.132.32.0/24
acl test3 src 62.212.227.0/24
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3129
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow test
http_access allow test2
http_access allow test3
http_access deny all
http_port 3128
http_port 3129 tproxy
hierarchy_stoplist cgi-bin ?
coredump_dir /squid/var/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
visible_hostname proxymain
cache_dir ufs /cache 6000 16 256
######################################################################
[root_at_proxymain sysconfig]# iptables -V (DOWNLOADED FROM
NETFILTER.ORG-NOT PATCHED)
iptables v1.4.3
#######################################################################
root_at_proxymain sysconfig]# uname -a (DONLOADED FORM KERNEL.ORG -
WITHOWT ANY PATCHES FROM bALABIT)
Linux 2.6.30.5-second #1 SMP Sun Aug 30 22:45:27 AZST 2009 x86_64 x86_64 x86_64 GNU/Linux
#######################################################################
Chain PREROUTING (policy ACCEPT)

target prot opt source destination
DIVERT tcp -- anywhere anywhere socket
TPROXY tcp -- anywhere anywhere tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK xset 0x1/0xffffffff
ACCEPT all -- anywhere anywhere
#######################################################################

[root_at_proxymain sysconfig]# ip rule ls
0: from all lookup 255
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default
#####################################################################
[root_at_proxymain sysconfig]# ip route ls table 100
local default dev lo scope host
#####################################################################

[root_at_proxymain sysconfig]# lsmod | egrep "xt|nf"
nf_nat 18924 1 iptable_nat
nf_conntrack_ipv4 14448 3 iptable_nat,nf_nat
xt_TPROXY 2616 1
xt_tcpudp 3544 1
xt_MARK 3064 1
xt_socket 2904 1
nf_tproxy_core 3160 2 xt_TPROXY,xt_socket,[permanent]
nf_conntrack 68208 4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket
nf_defrag_ipv4 2456 3 nf_conntrack_ipv4,xt_TPROXY,xt_socket
x_tables 22624 6 iptable_nat,ip_tables,xt_TPROXY,xt_tcpudp,xt_MARK,xt_socket
i2c_nforce2 7768 0
i2c_core 25568 1 i2c_nforce2
ext3 123528 2
jbd 46848 1 ext3
 ######################################################################
[root_at_proxymain sysconfig]# tcpdump -nn -i eth0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
00:12:02.402611 IP 85.132.32.40.1532 > 85.132.32.34.80: S 3187993921:3187993921(0) win 65535 <mss 1460,nop,nop,sackOK>
00:12:02.403087 IP 85.132.32.34.80 > 85.132.32.40.1532: S 3741385741:3741385741(0) ack 3187993922 win 5840 <mss 1460,nop,nop,sackOK>
00:12:02.402697 IP 85.132.32.40.1532 > 85.132.32.34.80: . ack 1 win 65535
00:12:02.407937 IP 85.132.32.40.1532 > 85.132.32.34.80: P 1:413(412) ack 1 win 65535
00:12:02.407971 IP 85.132.32.34.80 > 85.132.32.40.1532: . ack 413 win 6432
00:12:02.408389 IP 85.132.32.40.42747 > 194.87.0.50.80: S 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4169685 0,nop,wscale 7>
00:12:05.407861 IP 85.132.32.40.42747 > 194.87.0.50.80: S 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4172685 0,nop,wscale 7>
00:12:11.407465 IP 85.132.32.40.42747 > 194.87.0.50.80: S 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4178685 0,nop,wscale 7>
00:12:23.406682 IP 85.132.32.40.42747 > 194.87.0.50.80: S 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4190685 0,nop,wscale 7>
#######################################################################
##
2009/08/30 23:31:56| Starting Squid Cache version 3.1.0.13 for x86_64-unknown-linux-gnu...
2009/08/30 23:31:56| Process ID 12787
2009/08/30 23:31:56| With 1024 file descriptors available
2009/08/30 23:31:56| Initializing IP Cache...
2009/08/30 23:31:56| DNS Socket created at 0.0.0.0, FD 7
2009/08/30 23:31:56| Adding domain caspel.com from /etc/resolv.conf
2009/08/30 23:31:56| Adding nameserver 85.132.32.41 from /etc/resolv.conf
2009/08/30 23:31:56| Adding nameserver 85.132.32.42 from /etc/resolv.conf
2009/08/30 23:31:56| Unlinkd pipe opened on FD 12
2009/08/30 23:31:56| Store logging disabled
2009/08/30 23:31:56| Swap maxSize 6144000 + 262144 KB, estimated 492780 objects
2009/08/30 23:31:56| Target number of buckets: 24639
2009/08/30 23:31:56| Using 32768 Store buckets
2009/08/30 23:31:56| Max Mem size: 262144 KB
2009/08/30 23:31:56| Max Swap size: 6144000 KB
2009/08/30 23:31:56| Version 1 of swap file without LFS support detected...
2009/08/30 23:31:56| Rebuilding storage in /cache (CLEAN)
2009/08/30 23:31:56| Using Least Load store dir selection
2009/08/30 23:31:56| Set Current Directory to /squid/var/cache
2009/08/30 23:31:56| Loaded Icons.
2009/08/30 23:31:56| Accepting HTTP connections at 0.0.0.0:3128, FD 15.
2009/08/30 23:31:56| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 16.
2009/08/30 23:31:56| HTCP Disabled.
2009/08/30 23:31:56| Squid modules loaded: 0
2009/08/30 23:31:56| Ready to serve requests.
2009/08/30 23:31:56| Done reading /cache swaplog (0 entries)
2009/08/30 23:31:56| Finished rebuilding storage from disk.
2009/08/30 23:31:56| 0 Entries scanned
2009/08/30 23:31:56| 0 Invalid entries.
2009/08/30 23:31:56| 0 With invalid flags.
2009/08/30 23:31:56| 0 Objects loaded.
2009/08/30 23:31:56| 0 Objects expired.
2009/08/30 23:31:56| 0 Objects cancelled.
2009/08/30 23:31:56| 0 Duplicate URLs purged.
2009/08/30 23:31:56| 0 Swapfile clashes avoided.
2009/08/30 23:31:56| Took 0.01 seconds ( 0.00 objects/sec).
2009/08/30 23:31:56| Beginning Validation Procedure
2009/08/30 23:31:56| Completed Validation Procedure
2009/08/30 23:31:56| Validated 25 Entries
2009/08/30 23:31:56| store_swap_size = 0
2009/08/30 23:31:57| storeLateRelease: released 0 objects
[root_at_proxymain sysconfig]#

1251655621.226 155982 85.132.32.40 TCP_MISS/503 4143 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/www.squid-cache.org text/html
1251655621.226 107693 85.132.47.219 TCP_MISS/503 4151 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/www.squid-cache.org text/html
1251655621.230 0 85.132.32.40 TCP_MISS/503 4143 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/www.squid-cache.org text/html
1251655646.107 6457 85.132.47.219 TCP_MISS/000 0 GET http://www.google.az/ - DIRECT/www.google.az -
1251655658.226 60014 85.132.47.219 TCP_MISS/504 4510 POST http://safebrowsing.clients.google.com/safebrowsing/downloads? - DIRECT/safebrowsing.clients.google.com text/html
1251656346.912 21227 85.132.32.40 TCP_MISS/000 0 GET http://194.87.0.50/ - DIRECT/194.87.0.50 -
1251656526.724 179798 85.132.32.40 TCP_MISS/504 3977 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
1251656586.724 59968 85.132.32.40 TCP_MISS/504 4069 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
1251656867.544 88637 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
1251657043.812 176266 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
1251657101.539 60109 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
1251657207.136 64675 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
1251657387.522 180384 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
1251657567.525 179983 85.132.32.40 TCP_MISS/504 4069 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
1251657569.936 9407 85.132.47.219 TCP_MISS/000 0 GET http://85.132.32.34/ - DIRECT/85.132.32.34 -
1251657725.527 180669 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
1251657905.534 179988 85.132.32.40 TCP_MISS/504 4069 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
1251658194.669 112560 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
1251658283.066 88394 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
1251658463.543 180476 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
1251658643.547 179986 85.132.32.40 TCP_MISS/504 4069 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
1251659072.554 60493 85.132.32.40 TCP_MISS/504 4473 POST http://safebrowsing.clients.google.com/safebrowsing/downloads? - DIRECT/74.125.87.100 text/html
1251659703.563 181155 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - DIRECT/194.87.0.50 text/html

-- 
Best regards,
 Farhad                          mailto:inara.ibragimova_at_gmail.com
Received on Sun Aug 30 2009 - 20:00:58 MDT

This archive was generated by hypermail 2.2.0 : Mon Aug 31 2009 - 12:00:03 MDT