RE: [squid-users] Tproxy4+squid: ebtables wiki

From: Roth, Joe <jroth_at_binghamton.edu>
Date: Wed, 11 Nov 2009 13:53:17 -0500

I have rebuilt the server using slackware 13, iptables 1.4.5, kernel
2.6.29.6 and squid 3.1.0.14. This was actually a pretty easy build since
tproxy 4 was included already in iptables and kernel support.

I get a little further this time. After following the wiki I see
connections coming in on netstat and printouts in the access_ log:

1257947020.539 33055 128.226.234.75 TCP_MISS/200 7042 GET
http://www.imdb.com/ - DIRECT/72.21.211.32 text/html
1257947067.327 189510 128.226.234.43 TCP_MISS/200 5559 GET
http://www.cnn.com/ - DIRECT/157.166.226.25 text/html

But I get nothing on the user end, and eventually I stop seeing things
showing up in the access log.

Any ideas on what to look at?

Thanks,

--Joe

-----Original Message-----
From: Irvan Adrian K [mailto:irvan_at_grahamedia.net.id]
Sent: Monday, November 09, 2009 5:05 PM
To: Dan
Cc: Roth, Joe; Amos Jeffries; squid-users_at_squid-cache.org
Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki

Wow, thanks for the sharing, Dan.. it's very informative for me to know

that.. because i have been working for 2 weeks till know, very
desperated.. i have been using Debian 5 Lenny and Ubuntu 9.04 and 9.10,
and so far nothing work :(, .. all the configuration i have tried, and
i have been recompile many kernel from 2.6.20 - 2.6.25, 2.6.29. 2.6.31,
and so far there was no solution at all..

Same to me, i have been using Debian and Ubuntu server for all my server

since a long time, and so hard for me to change different distro, but
learning from you, i have to try Fedora or may be CentOS, for TPROXY..

Thanks,

Irvan Adrian

Dan wrote:
> To throw in my 2 cents. I have tried to using both ubuntu server 9.04

> and 9.10 neither of them I could get to work. I experienced the same
> problem. So to make sure it wasn't me making a mistake somewhere I
> tried the same config and setup on Fedora and that worked fine. So
> being lazy I just went with that. I am very interested in getting
> TPROXY to work with ubuntu server as I prefer it as my server OS.
>
> Roth, Joe wrote:
>> So it sounds like this is a problem with ubuntu 9.10 in general? I am
>> running the server version as well, everything looks to be compiled
>> properly, dmesg shows TPROXY starting, squid shoq IP spoofing to be
>> starting as well.
>>
>> -----Original Message-----
>> From: Irvan Adrian K [mailto:irvan_at_grahamedia.net.id] Sent: Monday,
>> November 09, 2009 8:46 AM
>> To: Amos Jeffries
>> Cc: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki
>>
>> Dear Mr Amos, thanks for your respond, very helpfull..
>>
>> Amos Jeffries wrote:
>>
>>> Irvan Adrian K wrote:
>>>
>>>> So, What the solution for these threads ? because i'm in the same
>>>> trouble to make TPROXY4 work in UBUNTU 9.10 Server
>>>>
>>>>
>>> Explicit "Server" release or normal? I have recently found that the
>>> kernel for normal Ubuntu is missing some routing features needed on
>>> a end box pretending to be a server.
>>>
>> Server release distribution of UBUNTU 9.10, not desktop one.. as you
>> know that UBUNTU have several type of distribution : server, desktop,

>> etc.., and as we analyze that UBUNTU Server
>> not differ than Debian, and have complete support for TPROXY built
>> in, without recompile :
>>
>> xt_tcpudp 2780 2
>> nf_nat 17808 2 iptable_nat,ipt_REDIRECT
>> nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat
>> xt_MARK 1884 2
>> xt_socket 2556 2
>> nf_conntrack 67608 4
>> iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket
>> xt_TPROXY 1948 2
>> nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY
>> nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent]
>> x_tables 16544 10
>>
ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC
>> T,xt_MARK,xt_socket,xt_TPROXY
>>
>>
>>>> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables
>>>> 2.0.9, and until now, following the manual in
>>>> http://wiki.squid-cache.org, like this :
>>>>
>>>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport
80
>>>> -j redirect --redirect-target DROP
>>>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80
>>>>
>> -j
>>
>>>> redirect --redirect-target DROP
>>>>
>>>> cd /proc/sys/net/bridge/
>>>> for i in *
>>>> do
>>>> echo 0 > $i
>>>> done
>>>> unset i
>>>>
>>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>
>>>> iptables are:
>>>> iptables -t mangle -N DIVERT
>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>>
>>>> squid configuration is default, except
>>>> acl allow all
>>>>
>>>> After following like above, the iptables counter was increasing
>>>> redirecting to TPROXY, but there was nothing
>>>> in the squid, i can't open anything..
>>>>
>>>> But if i change the ebtables --redirect-target ACCEPT, the
connection
>>>>
>>
>>
>>>> running, but the packet just bridged nothing came to Squid, just
like
>>>>
>>
>>
>>>> nothing on there..
>>>>
>>> Yes. That is why they are "DROP". In BROUTING it means something
like;
>>>
>>
>>
>>> DROP off the bridge into the routing code, vs ACCEPT over the
bridge.
>>>
>> Yes, we look that, after adding --redirect-target DROP at ebtables,
>> counter at iptables -j TPROXY increase, like this one :
>>
>> 12830 3896K DIVERT tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 socket
>> 1451 69360 TPROXY tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
0x1/0x1
>>
>> before DROP at ebtables, there was none packet come to iptables -j
>> TPROXY
>>
>>>> There some one can give the clue, thanks in advance..
>>>>
>>>> R
>>>>
>>>>
>>> Did you build Squid with libcap2-dev installed on the system?
>>>
>> UBUNTU prefer libcap-dev rather than libcap2-dev,
>>
>> apt-get install libcap2-dev
>> Reading package lists... Done
>> Building dependency tree
>> Reading state information... Done
>> Note, selecting libcap-dev instead of libcap2-dev
>> libcap-dev is already the newest version.
>>
>>> If you start Squid with the -X option is there anything about
spoofing
>>>
>>
>>
>>> or transparent mentioned?
>>>
>>
>> 2009/11/09 08:43:17.338| Processing: 'http_port 3128 '
>> 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128
>> 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard
address:
>>
>> [::]:3128
>> 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy'
>> 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129
>> 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard
address:
>>
>> [::]:3129
>> 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129
>> 2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129
>> (IP spoofing enabled)
>> 2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129
>> 2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support.
>> 2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support.
>> 2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using.
>>
>>
>> Thanks,
>>
>> Irvan Adrian
>>
>>> Amos
>>>
>>>
>>>> Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9
>>>>
>>>> Marko Kotar wrote:
>>>>
>>>> Just curious which kernel version are u using?
>>>>
>>>>
>>>>
>>>> --- On Thu, 10/29/09, Dan <d..._at_jisp.net> wrote:
>>>>
>>>>
>>>> From: Dan <d..._at_jisp.net>
>>>> Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki
>>>> To: "Marko Kotar" <kotarma..._at_yahoo.com>
>>>> Cc: squid-users_at_squid-cache.org
>>>> Date: Thursday, October 29, 2009, 5:24 PM
>>>> Those are the same ebtable and
>>>>
>>>> iptable rules that I am using except that I use DROP. If it is
>>>> working for you then that is great. :) As for why
>>>>
>>>> it works that way I don't know. When I use ACCEPT the
>>>> traffic is bridged through and not redirected to squid.
>>>>
>>>> Thanks,
>>>>
>>>> Irvan Adrian
>>>>
>>>> Marko Kotar wrote:
>>>>
>>>> Ok
>>>> My ebtable rules are(without -i option):
>>>> ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp
>>>> --ip-dport 80 -j redirect --redirect-target ACCEPT
>>>>
>>>> ebtables -t broute -A BROUTING -p ipv4
>>>> --ip-proto tcp --ip-sport 80 -j redirect --redirect-target
>>>> ACCEPT
>>>>
>>>> This might be the different:
>>>> Bridge is up and it is having an ip address. Ethernet
>>>> interfaces are up but not having any ip address asigned.
>>>>
>>>> ifconfig eth0 up promisc
>>>> ...
>>>> bridge interface is configured with dhclient:
>>>> dhclient3 br0
>>>>
>>>> This rules are for the routing;
>>>> ip rule add fwmark 1 lookup 100
>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>> And:
>>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>
>>>> iptables are:
>>>> iptables -t mangle -N DIVERT
>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j
>>>> DIVERT
>>>>
>>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
>>>> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>>>>
>>>> squid configuration is default, except
>>>> acl allow all
>>>> and port is set to the same address as in iptables,
>>>> and having TPROXY set.
>>>>
>>>> I am using: 2.6.28-16-server x86_64 ubuntu, default or
>>>> compiled ebtables v2.0.9-1 (June 2009), compiled iptables
>>>> v1.4.5,
>>>>
>>>> Squid Cache: Version 3.1.0.14
>>>> configure options: '--enable-linux-netfilter'
>>>> --with-squid=/home/marko/src/squid-3.1.0.14
>>>> --enable-ltdl-convenience
>>>>
>>>> configured ony with additional linux-netfilter flag
>>>>
>>>> I've used various network configurations:
>>>> -virtual computer using VmBox with virtual interface
>>>> in the linux bridge on guest pc.
>>>>
>>>> -computer with two interfaces.
>>>> -double bridged vmbox: two virtual machines: first
>>>> having 2 virtual interfaces. birdged and having sqiud.
>>>> second virtual pc being client with one virtual interface.
>>>> one interface of first was bridged on guest computer to
>>>> external interface, other two were bridged together.
>>>>
>>>> Drop didn't work in any of them, accept was tested
>>>> only in first.
>>>>
>>>> i think thats all the settings i have.
>>>>
>>>>
>>>> --- On Wed, 10/28/09, Dan <d..._at_jisp.net>
>>>> wrote:
>>>>
>>>> From: Dan <d..._at_jisp.net>
>>>> Subject: Re: [squid-users] Tproxy4+squid: ebtables
>>>> wiki
>>>>
>>>> To: "Marko Kotar" <kotarma..._at_yahoo.com>,
>>>> squid-users_at_squid-cache.org
>>>>
>>>> Date: Wednesday, October 28, 2009, 9:21 PM
>>>> Marko Kotar wrote:
>>>> Thanks.
>>>>
>>>> "redirect
>>>>
>>>> The redirect target will change the MAC target
>>>> address
>>>>
>>>> to that of the bridge device the frame arrived on.
>>>> This
>>>>
>>>> target can only be used in the BROUTING chain of
>>>> the broute
>>>>
>>>> table and the PREROUTING chain of the nat table.
>>>> In the
>>>>
>>>> BROUTING chain, the MAC address of the bridge port
>>>> is used
>>>>
>>>> as destination address, in the PREROUTING chain,
>>>> the MAC
>>>>
>>>> address of the bridge is used.
>>>> --redirect-target target
>>>>
>>>> Specifies the standard
>>>> target.
>>>>
>>>> After doing the MAC redirect, the rule still has
>>>> to give a
>>>>
>>>> standard target so ebtables knows what to do. The
>>>> default
>>>>
>>>> target is ACCEPT. Making it CONTINUE could let you
>>>> use
>>>>
>>>> multiple target extensions on the same frame.
>>>> Making it DROP
>>>>
>>>> in the BROUTING chain will let the frames be
>>>> routed. RETURN
>>>>
>>>> is also allowed. Note that using RETURN in a base
>>>> chain is
>>>>
>>>> not allowed."
>>>>
>>>> I think: If accept is used it goes in the
>>>> tproxy
>>>>
>>>> because dst mac is changed to bridge address. (So
>>>> it goes up
>>>>
>>>> as it would if client had gateway configured
>>>> to that
>>>>
>>>> machine?) But is also should drop work?
>>>> I decided to test it. I changed my rule to ACCEPT
>>>> and
>>>>
>>>> traffic passes but not through the proxy.
>>>> My
>>>>
>>>> access.log shows no new traffic after changing
>>>> the
>>>>
>>>> rule. DROP is what passes the frame off to
>>>> iptables. Could you show all your
>>>> rules? If
>>>>
>>>> squid is receiving the traffic the only thing I
>>>> can think of
>>>>
>>>> is that maybe there is another rule further down
>>>> the chain
>>>>
>>>> that cause the frame to be routed.
>>>>
>>>> I have tryed drop but it didn't work. I didn't
>>>> get
>>>>
>>>> through any traffic.
>>>> If i didn't use any of ebtable rules it went
>>>> through.
>>>>
>>>> But accept works. --- On Wed, 10/28/09,
>>>> Dan
>>>>
>>>> <d..._at_jisp.net>
>>>> wrote:
>>>> From: Dan <d..._at_jisp.net>
>>>> Subject: Re: [squid-users] Tproxy4+squid:
>>>> ebtables
>>>>
>>>> wiki
>>>> To: "Marko Kotar" <kotarma..._at_yahoo.com>
>>>> Cc: squid-users_at_squid-cache.org
>>>> Date: Wednesday, October 28, 2009, 1:03
>>>> AM
>>>>
>>>> Marko Kotar wrote:
>>>> Hi,
>>>> You have incorrect commands in squid
>>>> wiki for
>>>>
>>>> tproxy4
>>>> ebtables:
>>>> I figure out that it is
not
>>>> "--redirect-target
>>>>
>>>> DROP"
>>>> but it is "--redirect-target ACCEPT"
>>>> .
>>>>
>>>> With ebtables using broute ACCEPT and DROP
>>>> have
>>>>
>>>> special
>>>> meanings. DROP means route the frame
>>>> and
>>>>
>>>> ACCEPT means bridge the frame.
>>>>
>>>> http://ebtables.sourceforge.net/misc/ebtables-man.html
>>>>
>>>> There is a "-j REDIRECT"
>>>> which should
>>>> be in
>>>>
>>>> lowercase
>>>> letters "-j redirect".
>>>> Thanks for guide.
>>>>
>>>> Marko
>>>>
>>>>
>>>>
>>>> Dan
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>
>
Received on Wed Nov 11 2009 - 18:53:22 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 12 2009 - 12:00:03 MST