Re: [squid-users] Tproxy4+squid: ebtables wiki

From: Dan <dan_at_jisp.net>
Date: Thu, 29 Oct 2009 14:11:32 -0500

Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9

Marko Kotar wrote:
> Just curious which kernel version are u using?
>
>
>
> --- On Thu, 10/29/09, Dan <dan_at_jisp.net> wrote:
>
>
>> From: Dan <dan_at_jisp.net>
>> Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki
>> To: "Marko Kotar" <kotarmarko_at_yahoo.com>
>> Cc: squid-users_at_squid-cache.org
>> Date: Thursday, October 29, 2009, 5:24 PM
>> Those are the same ebtable and
>> iptable rules that I am using except that I use DROP.
>> If it is working for you then that is great. :) As for why
>> it works that way I don't know. When I use ACCEPT the
>> traffic is bridged through and not redirected to squid.
>>
>> Dan
>>
>> Marko Kotar wrote:
>>
>>> Ok
>>> My ebtable rules are(without -i option):
>>> ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp
>>>
>> --ip-dport 80 -j redirect --redirect-target ACCEPT
>>
>>> ebtables -t broute -A BROUTING -p ipv4
>>>
>> --ip-proto tcp --ip-sport 80 -j redirect --redirect-target
>> ACCEPT
>>
>>> This might be the different:
>>> Bridge is up and it is having an ip address. Ethernet
>>>
>> interfaces are up but not having any ip address asigned.
>>
>>> ifconfig eth0 up promisc
>>> ...
>>> bridge interface is configured with dhclient:
>>> dhclient3 br0
>>>
>>> This rules are for the routing;
>>> ip rule add fwmark 1 lookup 100
>>> ip route add local 0.0.0.0/0 dev lo table 100
>>> And:
>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>
>>> iptables are:
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j
>>>
>> DIVERT
>>
>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
>>>
>> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>>
>>> squid configuration is default, except
>>> acl allow all
>>> and port is set to the same address as in iptables,
>>>
>> and having TPROXY set.
>>
>>> I am using: 2.6.28-16-server x86_64 ubuntu, default or
>>>
>> compiled ebtables v2.0.9-1 (June 2009), compiled iptables
>> v1.4.5,
>>
>>> Squid Cache: Version 3.1.0.14
>>> configure options: '--enable-linux-netfilter'
>>>
>> --with-squid=/home/marko/src/squid-3.1.0.14
>> --enable-ltdl-convenience
>>
>>> configured ony with additional linux-netfilter flag
>>>
>>> I've used various network configurations:
>>> -virtual computer using VmBox with virtual interface
>>>
>> in the linux bridge on guest pc.
>>
>>> -computer with two interfaces.
>>> -double bridged vmbox: two virtual machines: first
>>>
>> having 2 virtual interfaces. birdged and having sqiud.
>> second virtual pc being client with one virtual interface.
>> one interface of first was bridged on guest computer to
>> external interface, other two were bridged together.
>>
>>> Drop didn't work in any of them, accept was tested
>>>
>> only in first.
>>
>>>
>>> i think thats all the settings i have.
>>>
>>>
>>> --- On Wed, 10/28/09, Dan <dan_at_jisp.net>
>>>
>> wrote:
>>
>>>
>>>
>>>> From: Dan <dan_at_jisp.net>
>>>> Subject: Re: [squid-users] Tproxy4+squid: ebtables
>>>>
>> wiki
>>
>>>> To: "Marko Kotar" <kotarmarko_at_yahoo.com>,
>>>>
>> squid-users_at_squid-cache.org
>>
>>>> Date: Wednesday, October 28, 2009, 9:21 PM
>>>> Marko Kotar wrote:
>>>>
>>>>
>>>>> Thanks.
>>>>>
>>>>> "redirect
>>>>>
>>>>> The redirect target will change the MAC target
>>>>>
>> address
>>
>>>>>
>>>>>
>>>> to that of the bridge device the frame arrived on.
>>>>
>> This
>>
>>>> target can only be used in the BROUTING chain of
>>>>
>> the broute
>>
>>>> table and the PREROUTING chain of the nat table.
>>>>
>> In the
>>
>>>> BROUTING chain, the MAC address of the bridge port
>>>>
>> is used
>>
>>>> as destination address, in the PREROUTING chain,
>>>>
>> the MAC
>>
>>>> address of the bridge is used.
>>>>
>>>>
>>>>> --redirect-target target
>>>>>
>>>>> Specifies the standard
>>>>>
>> target.
>>
>>>>>
>>>>>
>>>> After doing the MAC redirect, the rule still has
>>>>
>> to give a
>>
>>>> standard target so ebtables knows what to do. The
>>>>
>> default
>>
>>>> target is ACCEPT. Making it CONTINUE could let you
>>>>
>> use
>>
>>>> multiple target extensions on the same frame.
>>>>
>> Making it DROP
>>
>>>> in the BROUTING chain will let the frames be
>>>>
>> routed. RETURN
>>
>>>> is also allowed. Note that using RETURN in a base
>>>>
>> chain is
>>
>>>> not allowed."
>>>>
>>>>> I think: If accept is used it goes in the
>>>>>
>> tproxy
>>
>>>>>
>>>>>
>>>> because dst mac is changed to bridge address. (So
>>>>
>> it goes up
>>
>>>> as it would if client had gateway configured
>>>>
>> to that
>>
>>>> machine?) But is also should drop work?
>>>>
>>
>>
>>>>>
>>>>>
>>>> I decided to test it. I changed my rule to ACCEPT
>>>>
>> and
>>
>>>> traffic passes but not through the proxy.
>>>>
>> My
>>
>>>> access.log shows no new traffic after changing
>>>>
>> the
>>
>>>> rule. DROP is what passes the frame off to
>>>> iptables. Could you show all your
>>>>
>> rules? If
>>
>>>> squid is receiving the traffic the only thing I
>>>>
>> can think of
>>
>>>> is that maybe there is another rule further down
>>>>
>> the chain
>>
>>>> that cause the frame to be routed.
>>>>
>>>>
>>>>
>>>>> I have tryed drop but it didn't work. I didn't
>>>>>
>> get
>>
>>>>>
>>>>>
>>>> through any traffic.
>>>>
>>>>
>>>>> If i didn't use any of ebtable rules it went
>>>>>
>> through.
>>
>>>>> But accept works. --- On Wed, 10/28/09,
>>>>>
>> Dan
>>
>>>>>
>>>>>
>>>> <dan_at_jisp.net>
>>>> wrote:
>>>>
>>>>
>>>>>
>>>>>
>>>>>> From: Dan <dan_at_jisp.net>
>>>>>> Subject: Re: [squid-users] Tproxy4+squid:
>>>>>>
>> ebtables
>>
>>>>>>
>>>>>>
>>>> wiki
>>>>
>>>>
>>>>>> To: "Marko Kotar" <kotarmarko_at_yahoo.com>
>>>>>> Cc: squid-users_at_squid-cache.org
>>>>>> Date: Wednesday, October 28, 2009, 1:03
>>>>>>
>> AM
>>
>>>>>> Marko Kotar wrote:
>>>>>>
>>>>>>
>>
>>
>>>>>>> Hi,
>>>>>>> You have incorrect commands in squid
>>>>>>>
>> wiki for
>>
>>>>>>>
>>>>>>>
>>
>>
>>>> tproxy4
>>>>
>>>>
>>>>>>>
>>>>>>>
>>
>>
>>>>>> ebtables:
>>>>>>
>>>>>>
>>
>>
>>>>>>> I figure out that it is not
>>>>>>>
>> "--redirect-target
>>
>>>>>>>
>>>>>>>
>>
>>
>>>> DROP"
>>>>
>>>>
>>>>>>>
>>>>>>>
>>
>>
>>>>>> but it is "--redirect-target ACCEPT"
>>>>>>
>> .
>>
>>>>>>
>>>>>>
>>
>>
>>>>>>>
>>>>>>>
>>
>>
>>>>>> With ebtables using broute ACCEPT and DROP
>>>>>>
>> have
>>
>>>>>>
>>>>>>
>>>> special
>>>>
>>>>
>>>>>> meanings. DROP means route the frame
>>>>>>
>> and
>>
>>>>>>
>>>>>>
>>>> ACCEPT means bridge the frame.
>>>>
>>>>
>>>>>> http://ebtables.sourceforge.net/misc/ebtables-man.html
>>>>>>
>>>>>>
>>>>>>
>>
>>
>>>>>>> There is a "-j REDIRECT" which should
>>>>>>>
>> be in
>>
>>>>>>>
>>>>>>>
>>
>>
>>>> lowercase
>>>>
>>>>
>>>>>>>
>>>>>>>
>>
>>
>>>>>> letters "-j redirect".
>>>>>>
>>>>>>
>>
>>
>>>>>>> Thanks for guide.
>>>>>>>
>>>>>>> Marko
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>
>>
>>>>
>>>>
>>>>>> Dan
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>
>>
>>>>>
>>>>>
>>
>>
>>>>
>>>>
>>>
>>>
>>
>
>
>
>
Received on Thu Oct 29 2009 - 19:11:56 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 30 2009 - 12:00:03 MDT