Re: [squid-users] Tproxy4+squid: ebtables wiki

From: Irvan Adrian K <irvan_at_grahamedia.net.id>
Date: Tue, 10 Nov 2009 06:25:57 +0700

Dear Amos,

Everthing should be 'working properly' but in fact, there no one packet
arriving on tproxy of squid, after packet come
into iptables :

1451 69360 TPROXY tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

as we can see that have been 1451 packet come into iptables, but there
was nothing come to acces.log on squid, and none of our client
can connect to Internet.. except clear ebtables :

ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
redirect --redirect-target DROP

but after we cleared, the server just function like a bridge, the packet
not come into iptables (packet counters of iptables still at zero),
and there was nothing in access.log on squid,

Today we want to try using CentOS 5.4. and soon after we install and
configure it with TPROXY, and test it, i will post it in here right a
way.. wish me luck :p

Irvan Adrian

Everything

Amos Jeffries wrote:
> On Mon, 09 Nov 2009 20:46:19 +0700, Irvan Adrian K
> <irvan_at_grahamedia.net.id> wrote:
>
>> Dear Mr Amos, thanks for your respond, very helpfull..
>>
>> Amos Jeffries wrote:
>>
>>> Irvan Adrian K wrote:
>>>
>>>> So, What the solution for these threads ? because i'm in the same
>>>> trouble to make TPROXY4 work in UBUNTU 9.10 Server
>>>>
>>>>
>>> Explicit "Server" release or normal? I have recently found that the
>>> kernel for normal Ubuntu is missing some routing features needed on a
>>> end box pretending to be a server.
>>>
>> Server release distribution of UBUNTU 9.10, not desktop one.. as you
>> know that UBUNTU have several type of distribution : server, desktop,
>> etc.., and as we analyze that UBUNTU Server
>> not differ than Debian, and have complete support for TPROXY built in,
>> without recompile :
>>
>
> Good.
>
>
>> xt_tcpudp 2780 2
>> nf_nat 17808 2 iptable_nat,ipt_REDIRECT
>> nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat
>> xt_MARK 1884 2
>> xt_socket 2556 2
>> nf_conntrack 67608 4
>> iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket
>> xt_TPROXY 1948 2
>> nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY
>> nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent]
>> x_tables 16544 10
>>
>>
> ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIRECT,xt_MARK,xt_socket,xt_TPROXY
>
>>>> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables
>>>> 2.0.9, and until now, following the manual in
>>>> http://wiki.squid-cache.org, like this :
>>>>
>>>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80
>>>> -j redirect --redirect-target DROP
>>>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
>>>> redirect --redirect-target DROP
>>>>
>>>> cd /proc/sys/net/bridge/
>>>> for i in *
>>>> do
>>>> echo 0 > $i
>>>> done
>>>> unset i
>>>>
>>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>
>>>> iptables are:
>>>> iptables -t mangle -N DIVERT
>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>>
>>>> squid configuration is default, except
>>>> acl allow all
>>>>
>>>> After following like above, the iptables counter was increasing
>>>> redirecting to TPROXY, but there was nothing
>>>> in the squid, i can't open anything..
>>>>
>>>> But if i change the ebtables --redirect-target ACCEPT, the connection
>>>> running, but the packet just bridged nothing came to Squid, just like
>>>> nothing on there..
>>>>
>>> Yes. That is why they are "DROP". In BROUTING it means something like;
>>> DROP off the bridge into the routing code, vs ACCEPT over the bridge.
>>>
>> Yes, we look that, after adding --redirect-target DROP at ebtables,
>> counter at iptables -j TPROXY increase, like this one :
>>
>> 12830 3896K DIVERT tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 socket
>> 1451 69360 TPROXY tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
>>
>> before DROP at ebtables, there was none packet come to iptables -j
>>
> TPROXY
>
> Good.
>
>
>>>> There some one can give the clue, thanks in advance..
>>>>
>>>> R
>>>>
>>>>
>>> Did you build Squid with libcap2-dev installed on the system?
>>>
>> UBUNTU prefer libcap-dev rather than libcap2-dev,
>>
>> apt-get install libcap2-dev
>> Reading package lists... Done
>> Building dependency tree
>> Reading state information... Done
>> Note, selecting libcap-dev instead of libcap2-dev
>> libcap-dev is already the newest version.
>>
>
> I think this means they publish the code for libcap version 2.x in the
> libcap-dev package. I hope so anyway, since later releases will require
> functionality in version 2.x of libcap to build.
>
> For now that should be fine.
>
>
>>> If you start Squid with the -X option is there anything about spoofing
>>> or transparent mentioned?
>>>
>> 2009/11/09 08:43:17.338| Processing: 'http_port 3128 '
>> 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128
>> 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address:
>>
>
>
>> [::]:3128
>> 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy'
>> 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129
>> 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address:
>>
>
>
>> [::]:3129
>> 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129
>> 2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129 (IP
>> spoofing enabled)
>> 2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129
>> 2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support.
>> 2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support.
>> 2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using.
>>
>>
>
> Okay. And no sign of anything saying "Stopping full transparency: "...
>
> Thats a good sign that its working up to and into Squid.
>
> Amos
>
>
>
Received on Mon Nov 09 2009 - 23:26:14 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 10 2009 - 12:00:03 MST