RE: [squid-users] Tproxy4+squid: ebtables wiki

From: Roth, Joe <jroth_at_binghamton.edu>
Date: Wed, 11 Nov 2009 21:49:22 -0500

Ah, followed this thread and the piece about the wccp exclude and it is now working.

http://www.mail-archive.com/squid-dev@squid-cache.org/msg04302.html

-----Original Message-----
From: Marko Kotar [mailto:kotarmarko_at_yahoo.com]
Sent: Wednesday, November 11, 2009 7:21 PM
To: Roth, Joe; squid-users_at_squid-cache.org
Subject: RE: [squid-users] Tproxy4+squid: ebtables wiki

Try to look if there is any connection out to server from squid.
Also you should look if there is any connection reset.
All this things you can look by:
tcpdump port 80 -i <ethernet interface>

--- On Wed, 11/11/09, Roth, Joe <jroth_at_binghamton.edu> wrote:

> From: Roth, Joe <jroth_at_binghamton.edu>
> Subject: RE: [squid-users] Tproxy4+squid: ebtables wiki
> To: "Irvan Adrian K" <irvan_at_grahamedia.net.id>, "Dan" <dan_at_jisp.net>
> Cc: "Amos Jeffries" <squid3_at_treenet.co.nz>, squid-users_at_squid-cache.org
> Date: Wednesday, November 11, 2009, 7:53 PM
> I have rebuilt the server using
> slackware 13, iptables 1.4.5, kernel
> 2.6.29.6 and squid 3.1.0.14. This was actually a pretty
> easy build since
> tproxy 4 was included already in iptables and kernel
> support.
>
> I get a little further this time. After following the wiki
> I see
> connections coming in on netstat and printouts in the
> access_ log:
>
> 1257947020.539  33055 128.226.234.75 TCP_MISS/200 7042
> GET
> http://www.imdb.com/ - DIRECT/72.21.211.32 text/html
> 1257947067.327 189510 128.226.234.43 TCP_MISS/200 5559 GET
> http://www.cnn.com/ - DIRECT/157.166.226.25 text/html
>
> But I get nothing on the user end, and eventually I stop
> seeing things
> showing up in the access log.
>
> Any ideas on what to look at?
>
> Thanks,
>
> --Joe
>
> -----Original Message-----
> From: Irvan Adrian K [mailto:irvan_at_grahamedia.net.id]
>
> Sent: Monday, November 09, 2009 5:05 PM
> To: Dan
> Cc: Roth, Joe; Amos Jeffries; squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki
>
> Wow, thanks for the sharing, Dan..  it's very
> informative for me to know
>
> that..  because i have been working for 2 weeks till
> know, very
> desperated.. i have been using Debian 5 Lenny and Ubuntu
> 9.04 and 9.10,
> and so far nothing work :(, ..  all the configuration
> i have tried, and
> i have been recompile many kernel from 2.6.20 - 2.6.25,
> 2.6.29. 2.6.31,
> and so far there was no solution at all..
>
> Same to me, i have been using Debian and Ubuntu server for
> all my server
>
> since a long time, and so hard for me to change different
> distro, but
> learning from you, i have to try Fedora or may be CentOS,
> for TPROXY..
>
> Thanks,
>
> Irvan Adrian
>
> Dan wrote:
> > To throw in my 2 cents.  I have tried to using
> both ubuntu server 9.04
>
> > and 9.10 neither of them I could get to work. I
> experienced the same
> > problem. So to make sure it wasn't me making a mistake
> somewhere I
> > tried the same config and setup on Fedora and that
> worked fine.  So
> > being lazy I just went with that.  I am very
> interested in getting
> > TPROXY to work with ubuntu server as I prefer it as my
> server OS.
> >
> > Roth, Joe wrote:
> >> So it sounds like this is a problem with ubuntu
> 9.10 in general? I am
> >> running the server version as well, everything
> looks to be compiled
> >> properly, dmesg shows TPROXY starting, squid shoq
> IP spoofing to be
> >> starting as well.
> >>
> >> -----Original Message-----
> >> From: Irvan Adrian K [mailto:irvan_at_grahamedia.net.id]
> Sent: Monday,
> >> November 09, 2009 8:46 AM
> >> To: Amos Jeffries
> >> Cc: squid-users_at_squid-cache.org
> >> Subject: Re: [squid-users] Tproxy4+squid: ebtables
> wiki
> >>
> >> Dear Mr Amos, thanks for your respond, very
> helpfull..
> >>
> >> Amos Jeffries wrote:
> >> 
> >>> Irvan Adrian K wrote:
> >>>   
> >>>> So, What the solution for these threads
> ?  because i'm in the same
> >>>> trouble to make TPROXY4 work in UBUNTU
> 9.10 Server
> >>>>
> >>>>       
> >>> Explicit "Server" release or normal? I have
> recently found that the
> >>> kernel for normal Ubuntu is missing some
> routing features needed on
> >>> a end box pretending to be a server.
> >>>     
> >> Server release distribution of UBUNTU 9.10, not
> desktop one.. as you
> >> know that UBUNTU have several type of distribution
> : server, desktop,
>
> >> etc.., and as we analyze that UBUNTU Server
> >> not differ than Debian, and have complete support
> for TPROXY built
> >> in, without recompile :
> >>
> >> xt_tcpudp           
>    2780  2
> >> nf_nat           
>      17808  2
> iptable_nat,ipt_REDIRECT
> >> nf_conntrack_ipv4      13352 
> 3 iptable_nat,nf_nat
> >> xt_MARK           
>      1884  2
> >> xt_socket           
>    2556  2
> >> nf_conntrack       
>    67608  4
> >> iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket
> >> xt_TPROXY           
>    1948  2
> >> nf_defrag_ipv4         
> 1756  3 nf_conntrack_ipv4,xt_socket,xt_TPROXY
> >> nf_tproxy_core         
> 2428  2 xt_socket,xt_TPROXY,[permanent]
> >> x_tables           
>    16544  10
> >>
> ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC
> >> T,xt_MARK,xt_socket,xt_TPROXY
> >>
> >> 
> >>>> I'm using Kernel 2.6.31, Squid 3.1.0.15,
> iptables 1.4.5, ebtables
> >>>> 2.0.9, and until now, following the manual
> in
> >>>> http://wiki.squid-cache.org, like this :
> >>>>
> >>>> ebtables -t broute -I BROUTING  -p
> ipv4 --ip-proto tcp --ip-dport
> 80
> >>>> -j redirect --redirect-target DROP
> >>>> ebtables -t broute -I BROUTING -p ipv4
> --ip-proto tcp --ip-sport 80
> >>>>       
> >> -j
> >> 
> >>>> redirect --redirect-target DROP
> >>>>
> >>>> cd /proc/sys/net/bridge/
> >>>> for i in *
> >>>> do
> >>>>  echo 0 > $i
> >>>> done
> >>>> unset i
> >>>>
> >>>> echo 0 >
> /proc/sys/net/ipv4/conf/lo/rp_filter
> >>>> echo 1 > /proc/sys/net/ipv4/ip_forward
> >>>>
> >>>> iptables are:
> >>>> iptables -t mangle -N DIVERT
> >>>> iptables -t mangle -A DIVERT -j MARK
> --set-mark 1
> >>>> iptables -t mangle -A DIVERT -j ACCEPT
> >>>> iptables -t mangle -A PREROUTING -p tcp -m
> socket -j DIVERT
> >>>> iptables -t mangle -A PREROUTING -p tcp
> --dport 80 -j TPROXY
> >>>> --tproxy-mark 0x1/0x1 --on-port 3129
> >>>>
> >>>> squid configuration is default, except
> >>>> acl allow all
> >>>>
> >>>> After following like above, the iptables
> counter was increasing
> >>>> redirecting to TPROXY, but there was
> nothing
> >>>> in the squid, i can't open anything..
> >>>>
> >>>> But if i change the ebtables
> --redirect-target ACCEPT, the
> connection
> >>>>       
> >>
> >> 
> >>>> running, but the packet just bridged
> nothing came to Squid, just
> like
> >>>>       
> >>
> >> 
> >>>> nothing on there..
> >>>>       
> >>> Yes. That is why they are "DROP". In BROUTING
> it means something
> like;
> >>>     
> >>
> >> 
> >>> DROP off the bridge into the routing code, vs
> ACCEPT over the
> bridge.
> >>>     
> >> Yes, we look that, after adding --redirect-target
> DROP at ebtables,
> >> counter at iptables -j TPROXY increase, like this
> one :
> >>
> >> 12830 3896K DIVERT 
>    tcp  --  *     
> *       0.0.0.0/0   
>        
> >> 0.0.0.0/0       
>    socket
> >>  1451 69360 TPROXY 
>    tcp  --  *     
> *       0.0.0.0/0   
>        
> >> 0.0.0.0/0       
>    tcp dpt:80 TPROXY redirect 0.0.0.0:3129
> mark
> 0x1/0x1
> >>
> >> before DROP at ebtables, there was none packet
> come to iptables -j
> >> TPROXY
> >> 
> >>>> There some one can give the clue, thanks
> in advance..
> >>>>
> >>>> R
> >>>>
> >>>>       
> >>> Did you build Squid with libcap2-dev installed
> on the system?
> >>>     
> >> UBUNTU prefer libcap-dev rather than libcap2-dev,
> >>
> >> apt-get install libcap2-dev
> >> Reading package lists... Done
> >> Building dependency tree
> >> Reading state information... Done
> >> Note, selecting libcap-dev instead of libcap2-dev
> >> libcap-dev is already the newest version.
> >> 
> >>> If you start Squid with the -X option is there
> anything about
> spoofing
> >>>     
> >>
> >> 
> >>> or transparent mentioned?
> >>>     
> >>
> >> 2009/11/09 08:43:17.338| Processing: 'http_port
> 3128 '
> >> 2009/11/09 08:43:17.338| http(s)_port: found
> Listen on Port: 3128
> >> 2009/11/09 08:43:17.338| http(s)_port: found
> Listen on wildcard
> address:
> >>
> >> [::]:3128
> >> 2009/11/09 08:43:17.338| Processing: 'http_port
> 3129 tproxy'
> >> 2009/11/09 08:43:17.338| http(s)_port: found
> Listen on Port: 3129
> >> 2009/11/09 08:43:17.338| http(s)_port: found
> Listen on wildcard
> address:
> >>
> >> [::]:3129
> >> 2009/11/09 08:43:17.338| Starting IP Spoofing on
> port [::]:3129
> >> 2009/11/09 08:43:17.338| Disabling Authentication
> on port [::]:3129
> >> (IP spoofing enabled)
> >> 2009/11/09 08:43:17.338| Detect TPROXY support on
> port [::]:3129
> >> 2009/11/09 08:43:17.338| ...Probing for IPv6
> TPROXY support.
> >> 2009/11/09 08:43:17.339| ...Probing for IPv4
> TPROXY support.
> >> 2009/11/09 08:43:17.339| IPv4 TPROXY support
> detected. Using.
> >>
> >>
> >> Thanks,
> >>
> >> Irvan Adrian
> >> 
> >>> Amos
> >>>
> >>>   
> >>>> Kernel 2.6.30.8, Squid 3.1.0.14, iptables
> 1.4.3.1, ebtables 2.0.9
> >>>>
> >>>> Marko Kotar wrote:
> >>>>
> >>>> Just curious which kernel version are u
> using?
> >>>>
> >>>>
> >>>>
> >>>> --- On Thu, 10/29/09, Dan <d..._at_jisp.net>
> wrote:
> >>>>
> >>>>
> >>>> From: Dan <d..._at_jisp.net>
> >>>> Subject: Re: [squid-users] Tproxy4+squid:
> ebtables wiki
> >>>> To: "Marko Kotar" <kotarma..._at_yahoo.com>
> >>>> Cc: squid-users_at_squid-cache.org
> >>>> Date: Thursday, October 29, 2009, 5:24 PM
> >>>> Those are the same ebtable and
> >>>>
> >>>> iptable rules that I am using except that
> I use DROP. If it is
> >>>> working for you then that is great. :) As
> for why
> >>>>
> >>>> it works that way I don't know.  When
> I use ACCEPT the
> >>>> traffic is bridged through and not
> redirected to squid.
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Irvan Adrian
> >>>>
> >>>> Marko Kotar wrote:
> >>>>
> >>>>    Ok
> >>>>    My ebtable rules are(without
> -i option):
> >>>>    ebtables -t broute -A
> BROUTING -p ipv4 --ip-proto tcp
> >>>>     --ip-dport 80 -j
> redirect --redirect-target ACCEPT
> >>>>
> >>>>      ebtables -t broute -A
> BROUTING -p ipv4
> >>>>     --ip-proto tcp
> --ip-sport 80 -j redirect --redirect-target
> >>>> ACCEPT
> >>>>
> >>>>    This might be the different:
> >>>>    Bridge is up and it is having
> an ip address. Ethernet
> >>>>     interfaces are up
> but not having any ip address asigned.
> >>>>
> >>>>    ifconfig eth0 up promisc
> >>>>    ...
> >>>>    bridge interface is
> configured with dhclient:
> >>>>    dhclient3 br0
> >>>>
> >>>>    This rules are for the
> routing;
> >>>>    ip rule add fwmark 1 lookup
> 100
> >>>>    ip route add local 0.0.0.0/0
> dev lo table 100
> >>>>    And:
> >>>>    echo 0 >
> /proc/sys/net/ipv4/conf/lo/rp_filter
> >>>>    echo 1 >
> /proc/sys/net/ipv4/ip_forward
> >>>>
> >>>>    iptables are:
> >>>>    iptables -t mangle -N DIVERT
> >>>>    iptables -t mangle -A DIVERT
> -j MARK --set-mark 1
> >>>>    iptables -t mangle -A DIVERT
> -j ACCEPT
> >>>>    iptables -t mangle -A
> PREROUTING -p tcp -m socket -j
> >>>>     DIVERT
> >>>>
> >>>>    iptables -t mangle -A
> PREROUTING -p tcp --dport 80 -j
> >>>>     TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
> >>>>
> >>>>    squid configuration is
> default, except
> >>>>    acl allow all
> >>>>    and port is set to the same
> address as in iptables,
> >>>>     and having TPROXY
> set.
> >>>>
> >>>>    I am using: 2.6.28-16-server
> x86_64 ubuntu, default or
> >>>>     compiled ebtables
> v2.0.9-1 (June 2009), compiled iptables
> >>>> v1.4.5,
> >>>>
> >>>>    Squid Cache: Version
> 3.1.0.14
> >>>>    configure options: 
> '--enable-linux-netfilter'
> >>>> 
>    --with-squid=/home/marko/src/squid-3.1.0.14
> >>>> --enable-ltdl-convenience
> >>>>
> >>>>    configured ony with
> additional linux-netfilter flag
> >>>>
> >>>>    I've used various network
> configurations:
> >>>>    -virtual computer using VmBox
> with virtual interface
> >>>>     in the linux
> bridge on guest pc.
> >>>>
> >>>>    -computer with two
> interfaces.
> >>>>    -double bridged vmbox: two
> virtual machines: first
> >>>>     having 2 virtual
> interfaces. birdged and having sqiud.
> >>>> second virtual pc being client with one
> virtual interface.
> >>>> one interface of first was bridged on
> guest computer to
> >>>> external interface, other two were bridged
> together.
> >>>>
> >>>>    Drop didn't work in any of
> them, accept was tested
> >>>>     only in first.
> >>>>
> >>>>      i think thats all the
> settings i have.
> >>>>
> >>>>
> >>>>    --- On Wed, 10/28/09, Dan
> <d..._at_jisp.net>
> >>>>     wrote:
> >>>>
> >>>>        From: Dan
> <d..._at_jisp.net>
> >>>>        Subject: Re:
> [squid-users] Tproxy4+squid: ebtables
> >>>>       
>    wiki
> >>>>
> >>>>        To: "Marko
> Kotar" <kotarma..._at_yahoo.com>,
> >>>>       
>    squid-users_at_squid-cache.org
> >>>>
> >>>>        Date:
> Wednesday, October 28, 2009, 9:21 PM
> >>>>        Marko Kotar
> wrote:
> >>>>           
>           Thanks.
> >>>>
> >>>>           
> "redirect
> >>>>
> >>>>           
> The redirect target will change the MAC target
> >>>>           
>      address
> >>>>
> >>>>        to that of the
> bridge device the frame arrived on.
> >>>>       
>    This
> >>>>
> >>>>        target can only
> be used in the BROUTING chain of
> >>>>       
>    the broute
> >>>>
> >>>>        table and the
> PREROUTING chain of the nat table.
> >>>>       
>    In the
> >>>>
> >>>>        BROUTING chain,
> the MAC address of the bridge port
> >>>>       
>    is used
> >>>>
> >>>>        as destination
> address, in the PREROUTING chain,
> >>>>       
>    the MAC
> >>>>
> >>>>        address of the
> bridge is used.
> >>>>           
>           --redirect-target target
> >>>>
> >>>>           
>       Specifies the standard
> >>>>           
>      target.
> >>>>
> >>>>        After doing the
> MAC redirect, the rule still has
> >>>>       
>    to give a
> >>>>
> >>>>        standard target
> so ebtables knows what to do. The
> >>>>       
>    default
> >>>>
> >>>>        target is
> ACCEPT. Making it CONTINUE could let you
> >>>>       
>    use
> >>>>
> >>>>        multiple target
> extensions on the same frame.
> >>>>       
>    Making it DROP
> >>>>
> >>>>        in the BROUTING
> chain will let the frames be
> >>>>       
>    routed. RETURN
> >>>>
> >>>>        is also
> allowed. Note that using RETURN in a base
> >>>>       
>    chain is
> >>>>
> >>>>        not allowed."
> >>>>
> >>>>            I
> think: If accept is used it goes in the
> >>>>           
>      tproxy
> >>>>
> >>>>        because dst mac
> is changed to bridge address. (So
> >>>>       
>    it goes up
> >>>>
> >>>>        as it would if
> client had  gateway configured
> >>>>       
>    to that
> >>>>
> >>>>        machine?) But
> is also should drop work?
> >>>>        I decided to
> test it. I changed my rule to ACCEPT
> >>>>       
>    and
> >>>>
> >>>>        traffic passes
> but not through the proxy.
> >>>> My
> >>>>
> >>>>        access.log
> shows no new traffic after changing
> >>>>       
>    the
> >>>>
> >>>>        rule. 
> DROP is what passes the frame off to
> >>>>        iptables. 
> Could you show all your
> >>>>       
>    rules?  If
> >>>>
> >>>>        squid is
> receiving the traffic the only thing I
> >>>>       
>    can think of
> >>>>
> >>>>        is that maybe
> there is another rule further down
> >>>>       
>    the chain
> >>>>
> >>>>        that cause the
> frame to be routed.
> >>>>
> >>>>           
>           I have tryed drop but it
> didn't work. I didn't
> >>>>           
>      get
> >>>>
> >>>>        through any
> traffic.
> >>>>           
>           If i didn't use any of
> ebtable rules it went
> >>>>           
>      through.
> >>>>
> >>>>           
> But accept works.  --- On Wed, 10/28/09,
> >>>>           
>      Dan
> >>>>
> >>>>        <d..._at_jisp.net>
> >>>>        wrote:
> >>>>           
>               From: Dan
> <d..._at_jisp.net>
> >>>>           
>     Subject: Re: [squid-users] Tproxy4+squid:
> >>>>           
>            ebtables
> >>>>
> >>>>        wiki
> >>>>           
>               To: "Marko
> Kotar" <kotarma..._at_yahoo.com>
> >>>>           
>     Cc: squid-users_at_squid-cache.org
> >>>>           
>     Date: Wednesday, October 28, 2009, 1:03
> >>>>           
>            AM
> >>>>
> >>>>           
>     Marko Kotar wrote:
> >>>>           
>                
>               Hi,
> >>>>           
>         You have incorrect commands in
> squid
> >>>>           
>              
>    wiki for
> >>>>
> >>>>        tproxy4
> >>>>           
>               ebtables:
> >>>>           
>                
>               I figure
> out that it is
> not
> >>>>           
>              
>    "--redirect-target
> >>>>
> >>>>        DROP"
> >>>>           
>               but it
> is  "--redirect-target ACCEPT"
> >>>>           
>            .
> >>>>
> >>>>           
>     With ebtables using broute ACCEPT and DROP
> >>>>           
>            have
> >>>>
> >>>>        special
> >>>>           
>              
> meanings.  DROP means route the frame
> >>>>           
>            and
> >>>>
> >>>>        ACCEPT means
> bridge the frame.
> >>>>           
>              
> >>>> http://ebtables.sourceforge.net/misc/ebtables-man.html
> >>>>
> >>>>           
>                
>               There is a
> "-j REDIRECT"
> >>>> which should
> >>>>           
>              
>    be in
> >>>>
> >>>>        lowercase
> >>>>           
>               letters "-j
> redirect".
> >>>>           
>                
>               Thanks for
> guide.
> >>>>
> >>>>           
>         Marko
> >>>>
> >>>>
> >>>>
> >>>>           
>              
>    Dan
> >>>>
> >>>>
> >>>>
> >>>>       
> >>>     
> >>
> >>   
> >
> >
>
>

      
Received on Thu Nov 12 2009 - 02:49:24 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 12 2009 - 12:00:03 MST