Re: [squid-users] Tproxy4+squid: ebtables wiki

Those are the same ebtable and iptable rules that I am using except that
I use DROP. If it is working for you then that is great. :) As for why
it works that way I don't know. When I use ACCEPT the traffic is
bridged through and not redirected to squid.

Dan

Marko Kotar wrote:
> Ok
> My ebtable rules are(without -i option):
> ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target ACCEPT
>
> ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target ACCEPT
>
> This might be the different:
> Bridge is up and it is having an ip address. Ethernet interfaces are up but not having any ip address asigned.
> ifconfig eth0 up promisc
> ...
> bridge interface is configured with dhclient:
> dhclient3 br0
>
> This rules are for the routing;
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> And:
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables are:
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>
> squid configuration is default, except
> acl allow all
> and port is set to the same address as in iptables, and having TPROXY set.
> I am using: 2.6.28-16-server x86_64 ubuntu, default or compiled ebtables v2.0.9-1 (June 2009), compiled iptables v1.4.5,
> Squid Cache: Version 3.1.0.14
> configure options: '--enable-linux-netfilter' --with-squid=/home/marko/src/squid-3.1.0.14 --enable-ltdl-convenience
> configured ony with additional linux-netfilter flag
>
> I've used various network configurations:
> -virtual computer using VmBox with virtual interface in the linux bridge on guest pc.
> -computer with two interfaces.
> -double bridged vmbox: two virtual machines: first having 2 virtual interfaces.
> birdged and having sqiud. second virtual pc being client with one virtual interface. one interface of first was bridged on guest computer to external interface, other two were bridged together.
>
> Drop didn't work in any of them, accept was tested only in first.
>
>
>
>
> i think thats all the settings i have.
>
>
> --- On Wed, 10/28/09, Dan <dan_at_jisp.net> wrote:
>
>
>> From: Dan <dan_at_jisp.net>
>> Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki
>> To: "Marko Kotar" <kotarmarko_at_yahoo.com>, squid-users_at_squid-cache.org
>> Date: Wednesday, October 28, 2009, 9:21 PM
>> Marko Kotar wrote:
>>
>>> Thanks.
>>>
>>> "redirect
>>>
>>> The redirect target will change the MAC target address
>>>
>> to that of the bridge device the frame arrived on. This
>> target can only be used in the BROUTING chain of the broute
>> table and the PREROUTING chain of the nat table. In the
>> BROUTING chain, the MAC address of the bridge port is used
>> as destination address, in the PREROUTING chain, the MAC
>> address of the bridge is used.
>>
>>> --redirect-target target
>>>
>>> Specifies the standard target.
>>>
>> After doing the MAC redirect, the rule still has to give a
>> standard target so ebtables knows what to do. The default
>> target is ACCEPT. Making it CONTINUE could let you use
>> multiple target extensions on the same frame. Making it DROP
>> in the BROUTING chain will let the frames be routed. RETURN
>> is also allowed. Note that using RETURN in a base chain is
>> not allowed."
>>
>>> I think: If accept is used it goes in the tproxy
>>>
>> because dst mac is changed to bridge address. (So it goes up
>> as it would if client had gateway configured to that
>> machine?) But is also should drop work?
>>
>>>
>>>
>> I decided to test it. I changed my rule to ACCEPT and
>> traffic passes but not through the proxy. My
>> access.log shows no new traffic after changing the
>> rule. DROP is what passes the frame off to
>> iptables. Could you show all your rules? If
>> squid is receiving the traffic the only thing I can think of
>> is that maybe there is another rule further down the chain
>> that cause the frame to be routed.
>>
>>
>>> I have tryed drop but it didn't work. I didn't get
>>>
>> through any traffic.
>>
>>> If i didn't use any of ebtable rules it went through.
>>> But accept works. --- On Wed, 10/28/09, Dan
>>>
>> <dan_at_jisp.net>
>> wrote:
>>
>>>
>>>
>>>> From: Dan <dan_at_jisp.net>
>>>> Subject: Re: [squid-users] Tproxy4+squid: ebtables
>>>>
>> wiki
>>
>>>> To: "Marko Kotar" <kotarmarko_at_yahoo.com>
>>>> Cc: squid-users_at_squid-cache.org
>>>> Date: Wednesday, October 28, 2009, 1:03 AM
>>>> Marko Kotar wrote:
>>>>
>>>>
>>>>> Hi,
>>>>> You have incorrect commands in squid wiki for
>>>>>
>> tproxy4
>>
>>>>>
>>>>>
>>>> ebtables:
>>>>
>>>>
>>>>> I figure out that it is not "--redirect-target
>>>>>
>> DROP"
>>
>>>>>
>>>>>
>>>> but it is "--redirect-target ACCEPT" .
>>>>
>>>>
>>>>>
>>>>>
>>>> With ebtables using broute ACCEPT and DROP have
>>>>
>> special
>>
>>>> meanings. DROP means route the frame and
>>>>
>> ACCEPT means bridge the frame.
>>
>>>> http://ebtables.sourceforge.net/misc/ebtables-man.html
>>>>
>>>>
>>>>
>>>>> There is a "-j REDIRECT" which should be in
>>>>>
>> lowercase
>>
>>>>>
>>>>>
>>>> letters "-j redirect".
>>>>
>>>>
>>>>> Thanks for guide.
>>>>>
>>>>> Marko
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>
>>
>>>> Dan
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
>
>
Received on Thu Oct 29 2009 - 16:25:11 MDT