Re: [squid-users] TPROXY Routing from johan firdianto on 2010-04-01 (squid-users)

From: johan firdianto <johanfirdi_at_gmail.com>
Date: Thu, 1 Apr 2010 19:09:07 +0700

Make sure you have setup triangle routing correctly.
your squid act as bridge ? or act as router/gateway with dual
interface ethernet ?
or standalone server with single ethernet.
option 1 and 2, doesn't need routing setup, traffic incoming and
outgoing must hit the squid box.
But for option 3, you should setup your router to make sure outgoing
traffic to port 80 should hit the squid first, and forward to
internet, and the reply traffic from internet should come back to
squid box before forwarded to client.

2010/4/1 Kurt Sandstrom <sandmanaz_at_gmail.com>:
> I have the following in startup....
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> The ouput of ip route show table 100: local default dev lo scope host
>
> One other thing is strange, my PREROUTING rules in mangle don't load
> in my script. I have to manually add them. Timing issue perhaps?
>
> Startup script loded from rc.local:
>
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
> ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
> --ip-dport 80 -j redirect --redirect-target DROP
> ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp
> --ip-sport 80 -j redirect --redirect-target DROP
> cd /proc/sys/net/bridge/
> for i in *
> do
> echo 0 > $i
> done
> unset i
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
>
> 2010/3/31 Henrik Nordström <henrik_at_henriknordstrom.net>:
>> ons 2010-03-31 klockan 09:47 -0700 skrev Kurt Sandstrom:
>>> I have been unable to get TPROXY working correctly with squid. I have
>>> used the steps in http://wiki.squid-cache.org/Features/Tproxy4 and re
>>> checked everything.
>>>
>>
>> I did not see your routing setup in the data you dumped. Without the
>> routing configured then TPROXY won't intercept, just route like normal..
>>
>> http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration
>>
>> Regards
>> Henrik
>>
>>
>
Received on Thu Apr 01 2010 - 12:09:18 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 02 2010 - 12:00:04 MDT