Re: [squid-users] Tproxy4+squid: ebtables wiki

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 10 Nov 2009 11:29:24 +1300

On Mon, 09 Nov 2009 20:46:19 +0700, Irvan Adrian K
<irvan_at_grahamedia.net.id> wrote:
> Dear Mr Amos, thanks for your respond, very helpfull..
>
> Amos Jeffries wrote:
>> Irvan Adrian K wrote:
>>> So, What the solution for these threads ? because i'm in the same
>>> trouble to make TPROXY4 work in UBUNTU 9.10 Server
>>>
>>
>> Explicit "Server" release or normal? I have recently found that the
>> kernel for normal Ubuntu is missing some routing features needed on a
>> end box pretending to be a server.
> Server release distribution of UBUNTU 9.10, not desktop one.. as you
> know that UBUNTU have several type of distribution : server, desktop,
> etc.., and as we analyze that UBUNTU Server
> not differ than Debian, and have complete support for TPROXY built in,
> without recompile :

Good.

>
> xt_tcpudp 2780 2
> nf_nat 17808 2 iptable_nat,ipt_REDIRECT
> nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat
> xt_MARK 1884 2
> xt_socket 2556 2
> nf_conntrack 67608 4
> iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket
> xt_TPROXY 1948 2
> nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY
> nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent]
> x_tables 16544 10
>
ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIRECT,xt_MARK,xt_socket,xt_TPROXY
>
>>> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables
>>> 2.0.9, and until now, following the manual in
>>> http://wiki.squid-cache.org, like this :
>>>
>>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80
>>> -j redirect --redirect-target DROP
>>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
>>> redirect --redirect-target DROP
>>>
>>> cd /proc/sys/net/bridge/
>>> for i in *
>>> do
>>> echo 0 > $i
>>> done
>>> unset i
>>>
>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>
>>> iptables are:
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>
>>> squid configuration is default, except
>>> acl allow all
>>>
>>> After following like above, the iptables counter was increasing
>>> redirecting to TPROXY, but there was nothing
>>> in the squid, i can't open anything..
>>>
>>> But if i change the ebtables --redirect-target ACCEPT, the connection
>>> running, but the packet just bridged nothing came to Squid, just like
>>> nothing on there..
>>
>> Yes. That is why they are "DROP". In BROUTING it means something like;
>> DROP off the bridge into the routing code, vs ACCEPT over the bridge.
> Yes, we look that, after adding --redirect-target DROP at ebtables,
> counter at iptables -j TPROXY increase, like this one :
>
> 12830 3896K DIVERT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 socket
> 1451 69360 TPROXY tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
>
> before DROP at ebtables, there was none packet come to iptables -j
TPROXY

Good.

>>
>>>
>>> There some one can give the clue, thanks in advance..
>>>
>>> R
>>>
>>
>> Did you build Squid with libcap2-dev installed on the system?
> UBUNTU prefer libcap-dev rather than libcap2-dev,
>
> apt-get install libcap2-dev
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> Note, selecting libcap-dev instead of libcap2-dev
> libcap-dev is already the newest version.

I think this means they publish the code for libcap version 2.x in the
libcap-dev package. I hope so anyway, since later releases will require
functionality in version 2.x of libcap to build.

For now that should be fine.

>>
>>
>> If you start Squid with the -X option is there anything about spoofing
>> or transparent mentioned?
>
> 2009/11/09 08:43:17.338| Processing: 'http_port 3128 '
> 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128
> 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address:

> [::]:3128
> 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy'
> 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129
> 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address:

> [::]:3129
> 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129
> 2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129 (IP
> spoofing enabled)
> 2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129
> 2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support.
> 2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support.
> 2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using.
>

Okay. And no sign of anything saying "Stopping full transparency: "...

Thats a good sign that its working up to and into Squid.

Amos
Received on Mon Nov 09 2009 - 22:29:29 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 10 2009 - 12:00:03 MST