Re: [squid-users] Tproxy4+squid: ebtables wiki

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 10 Nov 2009 01:41:28 +1300

Irvan Adrian K wrote:
> So, What the solution for these threads ? because i'm in the same
> trouble to make TPROXY4 work in UBUNTU 9.10 Server
>

Explicit "Server" release or normal? I have recently found that the
kernel for normal Ubuntu is missing some routing features needed on a
end box pretending to be a server.

> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 2.0.9,
> and until now, following the manual in http://wiki.squid-cache.org, like
> this :
>
> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80
> -j redirect --redirect-target DROP
> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
> redirect --redirect-target DROP
>
> cd /proc/sys/net/bridge/
> for i in *
> do
> echo 0 > $i
> done
> unset i
>
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables are:
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
>
> squid configuration is default, except
> acl allow all
>
> After following like above, the iptables counter was increasing
> redirecting to TPROXY, but there was nothing
> in the squid, i can't open anything..
>
> But if i change the ebtables --redirect-target ACCEPT, the connection
> running, but the packet just bridged nothing came to Squid, just like
> nothing on there..

Yes. That is why they are "DROP". In BROUTING it means something like;
DROP off the bridge into the routing code, vs ACCEPT over the bridge.

>
> There some one can give the clue, thanks in advance..
>
> R
>

Did you build Squid with libcap2-dev installed on the system?

If you start Squid with the -X option is there anything about spoofing
or transparent mentioned?

Amos

>
>
> Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9
>
> Marko Kotar wrote:
>
> Just curious which kernel version are u using?
>
>
>
> --- On Thu, 10/29/09, Dan <d..._at_jisp.net> wrote:
>
>
> From: Dan <d..._at_jisp.net>
> Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki
> To: "Marko Kotar" <kotarma..._at_yahoo.com>
> Cc: squid-users_at_squid-cache.org
> Date: Thursday, October 29, 2009, 5:24 PM
> Those are the same ebtable and
>
> iptable rules that I am using except that I use DROP. If it is working
> for you then that is great. :) As for why
>
> it works that way I don't know. When I use ACCEPT the
> traffic is bridged through and not redirected to squid.
>
> Thanks,
>
> Irvan Adrian
>
> Marko Kotar wrote:
>
> Ok
> My ebtable rules are(without -i option):
> ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp
>
> --ip-dport 80 -j redirect --redirect-target ACCEPT
>
> ebtables -t broute -A BROUTING -p ipv4
>
> --ip-proto tcp --ip-sport 80 -j redirect --redirect-target
> ACCEPT
>
> This might be the different:
> Bridge is up and it is having an ip address. Ethernet
>
> interfaces are up but not having any ip address asigned.
>
> ifconfig eth0 up promisc
> ...
> bridge interface is configured with dhclient:
> dhclient3 br0
>
> This rules are for the routing;
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> And:
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables are:
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j
>
> DIVERT
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
>
> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>
> squid configuration is default, except
> acl allow all
> and port is set to the same address as in iptables,
>
> and having TPROXY set.
>
> I am using: 2.6.28-16-server x86_64 ubuntu, default or
>
> compiled ebtables v2.0.9-1 (June 2009), compiled iptables
> v1.4.5,
>
> Squid Cache: Version 3.1.0.14
> configure options: '--enable-linux-netfilter'
>
> --with-squid=/home/marko/src/squid-3.1.0.14
> --enable-ltdl-convenience
>
> configured ony with additional linux-netfilter flag
>
> I've used various network configurations:
> -virtual computer using VmBox with virtual interface
>
> in the linux bridge on guest pc.
>
> -computer with two interfaces.
> -double bridged vmbox: two virtual machines: first
>
> having 2 virtual interfaces. birdged and having sqiud.
> second virtual pc being client with one virtual interface.
> one interface of first was bridged on guest computer to
> external interface, other two were bridged together.
>
> Drop didn't work in any of them, accept was tested
>
> only in first.
>
> i think thats all the settings i have.
>
>
> --- On Wed, 10/28/09, Dan <d..._at_jisp.net>
>
> wrote:
>
> From: Dan <d..._at_jisp.net>
> Subject: Re: [squid-users] Tproxy4+squid: ebtables
>
> wiki
>
> To: "Marko Kotar" <kotarma..._at_yahoo.com>,
>
> squid-users_at_squid-cache.org
>
> Date: Wednesday, October 28, 2009, 9:21 PM
> Marko Kotar wrote:
>
> Thanks.
>
> "redirect
>
> The redirect target will change the MAC target
>
> address
>
> to that of the bridge device the frame arrived on.
>
> This
>
> target can only be used in the BROUTING chain of
>
> the broute
>
> table and the PREROUTING chain of the nat table.
>
> In the
>
> BROUTING chain, the MAC address of the bridge port
>
> is used
>
> as destination address, in the PREROUTING chain,
>
> the MAC
>
> address of the bridge is used.
>
> --redirect-target target
>
> Specifies the standard
>
> target.
>
> After doing the MAC redirect, the rule still has
>
> to give a
>
> standard target so ebtables knows what to do. The
>
> default
>
> target is ACCEPT. Making it CONTINUE could let you
>
> use
>
> multiple target extensions on the same frame.
>
> Making it DROP
>
> in the BROUTING chain will let the frames be
>
> routed. RETURN
>
> is also allowed. Note that using RETURN in a base
>
> chain is
>
> not allowed."
>
> I think: If accept is used it goes in the
>
> tproxy
>
> because dst mac is changed to bridge address. (So
>
> it goes up
>
> as it would if client had gateway configured
>
> to that
>
> machine?) But is also should drop work?
> I decided to test it. I changed my rule to ACCEPT
>
> and
>
> traffic passes but not through the proxy.
> My
>
> access.log shows no new traffic after changing
>
> the
>
> rule. DROP is what passes the frame off to
> iptables. Could you show all your
>
> rules? If
>
> squid is receiving the traffic the only thing I
>
> can think of
>
> is that maybe there is another rule further down
>
> the chain
>
> that cause the frame to be routed.
>
>
> I have tryed drop but it didn't work. I didn't
>
> get
>
> through any traffic.
>
> If i didn't use any of ebtable rules it went
>
> through.
>
> But accept works. --- On Wed, 10/28/09,
>
> Dan
>
> <d..._at_jisp.net>
> wrote:
>
> From: Dan <d..._at_jisp.net>
> Subject: Re: [squid-users] Tproxy4+squid:
>
> ebtables
>
> wiki
>
> To: "Marko Kotar" <kotarma..._at_yahoo.com>
> Cc: squid-users_at_squid-cache.org
> Date: Wednesday, October 28, 2009, 1:03
>
> AM
>
> Marko Kotar wrote:
>
> Hi,
> You have incorrect commands in squid
>
> wiki for
>
> tproxy4
>
> ebtables:
>
> I figure out that it is not
>
> "--redirect-target
>
> DROP"
>
> but it is "--redirect-target ACCEPT"
>
> .
>
> With ebtables using broute ACCEPT and DROP
>
> have
>
> special
>
> meanings. DROP means route the frame
>
> and
>
> ACCEPT means bridge the frame.
>
> http://ebtables.sourceforge.net/misc/ebtables-man.html
>
>
> There is a "-j REDIRECT" which should
>
> be in
>
> lowercase
>
> letters "-j redirect".
>
> Thanks for guide.
>
> Marko
>
>
>
>
> Dan
>
>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.14
Received on Mon Nov 09 2009 - 12:42:01 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 09 2009 - 12:00:03 MST