Re: [squid-users] Tproxy4+squid: ebtables wiki

From: Irvan Adrian K <irvan_at_grahamedia.net.id>
Date: Mon, 09 Nov 2009 18:48:23 +0700

So, What the solution for these threads ? because i'm in the same trouble to make TPROXY4 work in UBUNTU 9.10 Server

I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 2.0.9, and until now, following the
manual in http://wiki.squid-cache.org, like this :

ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
redirect --redirect-target DROP

cd /proc/sys/net/bridge/
for i in *
do
  echo 0 > $i
done
unset i

echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables are:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129

squid configuration is default, except
acl allow all

After following like above, the iptables counter was increasing redirecting to TPROXY, but there was nothing
in the squid, i can't open anything..

But if i change the ebtables --redirect-target ACCEPT, the connection running, but the packet just bridged
nothing came to Squid, just like nothing on there..

There some one can give the clue, thanks in advance..

R

Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9

Marko Kotar wrote:

Just curious which kernel version are u using?

--- On Thu, 10/29/09, Dan <d..._at_jisp.net> wrote:

From: Dan <d..._at_jisp.net>
Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki
To: "Marko Kotar" <kotarma..._at_yahoo.com>
Cc: squid-users_at_squid-cache.org
Date: Thursday, October 29, 2009, 5:24 PM
Those are the same ebtable and

iptable rules that I am using except that I use DROP. If it is working
for you then that is great. :) As for why

it works that way I don't know. When I use ACCEPT the
traffic is bridged through and not redirected to squid.

Thanks,

Irvan Adrian

Marko Kotar wrote:

    Ok
    My ebtable rules are(without -i option):
    ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp
      

--ip-dport 80 -j redirect --redirect-target ACCEPT

      ebtables -t broute -A BROUTING -p ipv4
      

--ip-proto tcp --ip-sport 80 -j redirect --redirect-target
ACCEPT

    This might be the different:
    Bridge is up and it is having an ip address. Ethernet
      

interfaces are up but not having any ip address asigned.

    ifconfig eth0 up promisc
    ...
    bridge interface is configured with dhclient:
    dhclient3 br0

    This rules are for the routing;
    ip rule add fwmark 1 lookup 100
    ip route add local 0.0.0.0/0 dev lo table 100
    And:
    echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables are:
    iptables -t mangle -N DIVERT
    iptables -t mangle -A DIVERT -j MARK --set-mark 1
    iptables -t mangle -A DIVERT -j ACCEPT
    iptables -t mangle -A PREROUTING -p tcp -m socket -j
      

DIVERT

    iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
      

TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

    squid configuration is default, except
    acl allow all
    and port is set to the same address as in iptables,
      

and having TPROXY set.

    I am using: 2.6.28-16-server x86_64 ubuntu, default or
      

compiled ebtables v2.0.9-1 (June 2009), compiled iptables
v1.4.5,

    Squid Cache: Version 3.1.0.14
    configure options: '--enable-linux-netfilter'
      

--with-squid=/home/marko/src/squid-3.1.0.14
--enable-ltdl-convenience

    configured ony with additional linux-netfilter flag

    I've used various network configurations:
    -virtual computer using VmBox with virtual interface
      

in the linux bridge on guest pc.

    -computer with two interfaces.
    -double bridged vmbox: two virtual machines: first
      

having 2 virtual interfaces. birdged and having sqiud.
second virtual pc being client with one virtual interface.
one interface of first was bridged on guest computer to
external interface, other two were bridged together.

    Drop didn't work in any of them, accept was tested
      

only in first.

      i think thats all the settings i have.

    --- On Wed, 10/28/09, Dan <d..._at_jisp.net>
      

wrote:

        From: Dan <d..._at_jisp.net>
        Subject: Re: [squid-users] Tproxy4+squid: ebtables
            

wiki

        To: "Marko Kotar" <kotarma..._at_yahoo.com>,
            

squid-users_at_squid-cache.org

        Date: Wednesday, October 28, 2009, 9:21 PM
        Marko Kotar wrote:
            

            Thanks.

            "redirect

            The redirect target will change the MAC target
                  

address

        to that of the bridge device the frame arrived on.
            

This

        target can only be used in the BROUTING chain of
            

the broute

        table and the PREROUTING chain of the nat table.
            

In the

        BROUTING chain, the MAC address of the bridge port
            

is used

        as destination address, in the PREROUTING chain,
            

the MAC

        address of the bridge is used.
            

            --redirect-target target

                  Specifies the standard
                  

target.

        After doing the MAC redirect, the rule still has
            

to give a

        standard target so ebtables knows what to do. The
            

default

        target is ACCEPT. Making it CONTINUE could let you
            

use

        multiple target extensions on the same frame.
            

Making it DROP

        in the BROUTING chain will let the frames be
            

routed. RETURN

        is also allowed. Note that using RETURN in a base
            

chain is

        not allowed."

            I think: If accept is used it goes in the
                  

tproxy

        because dst mac is changed to bridge address. (So
            

it goes up

        as it would if client had gateway configured
            

to that

        machine?) But is also should drop work?

        I decided to test it. I changed my rule to ACCEPT
            

and

        traffic passes but not through the proxy.

My

        access.log shows no new traffic after changing
            

the

        rule. DROP is what passes the frame off to
        iptables. Could you show all your
            

rules? If

        squid is receiving the traffic the only thing I
            

can think of

        is that maybe there is another rule further down
            

the chain

        that cause the frame to be routed.

            

            I have tryed drop but it didn't work. I didn't
                  

get

        through any traffic.
            

            If i didn't use any of ebtable rules it went
                  

through.

            But accept works. --- On Wed, 10/28/09,
                  

Dan

        <d..._at_jisp.net>
        wrote:
            

                From: Dan <d..._at_jisp.net>
                Subject: Re: [squid-users] Tproxy4+squid:
                        

ebtables

        wiki
            

                To: "Marko Kotar" <kotarma..._at_yahoo.com>
                Cc: squid-users_at_squid-cache.org
                Date: Wednesday, October 28, 2009, 1:03
                        

AM

                Marko Kotar wrote:
                        

                    Hi,
                    You have incorrect commands in squid
                              

wiki for

        tproxy4
            

                ebtables:
                        

                    I figure out that it is not
                              

"--redirect-target

        DROP"
            

                but it is "--redirect-target ACCEPT"
                        

.

                With ebtables using broute ACCEPT and DROP
                        

have

        special
            

                meanings. DROP means route the frame
                        

and

        ACCEPT means bridge the frame.
            

                http://ebtables.sourceforge.net/misc/ebtables-man.html

                        

                    There is a "-j REDIRECT" which should
                              

be in

        lowercase
            

                letters "-j redirect".
                        

                    Thanks for guide.

                    Marko

                              

Dan
Received on Mon Nov 09 2009 - 11:48:51 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 11 2009 - 12:00:03 MST