Re: [squid-users] wccpv2+squid3.1+tproxy4

On Mon, 21 Sep 2009 06:34:07 +0300, Haralds.Ulmanis_at_telcobalt.net wrote:
> Got working, but ip not spoofed (opened web site to show my actual ip).
>
> Here is my configuration.
> linux (iptables v1.4.3.2, kernel Linux version 2.6.30-gentoo-r4):
>
> modprobe ip_gre
> ip tunnel add wccp2 mode gre remote <cisco wccp routerid> local
xx.xx.xx.xx
> dev eth0
> ip addr add 127.0.0.2 dev wccp2
> ip link set wccp2 up
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -i wccp2 -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> echo 1 > /proc/sys/net/ipv4/ip_forward
> #rp is set to 0
>
> squid.conf:
> (Squid Cache: Version 3.1.0.13
> configure options: '--prefix=/usr' '--host=x86_64-pc-linux-gnu'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib'
> '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid'
> '--localstatedir=/var' '--datadir=/usr/share/squid'
> '--with-logdir=/var/log/squid' '--with-default-user=squid'
> '--enable-auth=basic,digest,negotiate,ntlm'
> '--enable-removal-policies=lru,heap'
> '--enable-digest-auth-helpers=password'
> '--enable-basic-auth-helpers=DB,PAM,LDAP,getpwnam,NCSA,MSNT'
> '--enable-external-acl-helpers=ldap_group,ip_user,session,unix_group'
> '--enable-ntlm-auth-helpers=fakeauth' '--enable-negotiate-auth-helpers='
> '--enable-useragent-log' '--enable-cache-digests' '--enable-delay-pools'
> '--enable-referer-log' '--enable-arp-acl' '--with-large-files'
> '--with-filedescriptors=8192'

> '--disable-caps'

'caps' is the libcap library required to give Squid TPROXY socket
privileges.

rebuild squid with that library.

The rest looks passable.

Amos
Received on Mon Sep 21 2009 - 03:46:02 MDT