Re: [squid-users] TPROXY Routing

It is set up with 2 nics as a bridge. The routing I was refering to is
only internal to the box.. ie through iptables

On Thu, Apr 1, 2010 at 5:09 AM, johan firdianto <johanfirdi_at_gmail.com> wrote:
> Make sure you have setup triangle routing correctly.
> your squid act as bridge ? or act as router/gateway with dual
> interface ethernet ?
> or standalone server with single ethernet.
> option 1 and 2, doesn't need routing setup, traffic incoming and
> outgoing must hit the squid box.
> But for option 3, you should setup your router to make sure outgoing
> traffic to port 80 should hit the squid first, and forward to
> internet, and the reply traffic from internet should come back to
> squid box before forwarded to client.
>
> 2010/4/1 Kurt Sandstrom <sandmanaz_at_gmail.com>:
>> I have the following in startup....
>>
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>> The ouput of  ip route show table 100: local default dev lo  scope host
>>
>> One other thing is strange, my PREROUTING rules in mangle don't load
>> in my script. I have to manually add them. Timing issue perhaps?
>>
>> Startup script loded from rc.local:
>>
>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>> --tproxy-mark 0x1/0x1 --on-port 3129
>> ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
>> --ip-dport 80 -j redirect --redirect-target DROP
>> ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp
>> --ip-sport 80 -j redirect --redirect-target DROP
>>  cd /proc/sys/net/bridge/
>>  for i in *
>>  do
>>   echo 0 > $i
>>  done
>>  unset i
>>
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>>
>> 2010/3/31 Henrik Nordström <henrik_at_henriknordstrom.net>:
>>> ons 2010-03-31 klockan 09:47 -0700 skrev Kurt Sandstrom:
>>>> I have been unable to get TPROXY working correctly with squid. I have
>>>> used the steps in  http://wiki.squid-cache.org/Features/Tproxy4 and re
>>>> checked everything.
>>>>
>>>
>>> I did not see your routing setup in the data you dumped. Without the
>>> routing configured then TPROXY won't intercept, just route like normal..
>>>
>>> http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration
>>>
>>> Regards
>>> Henrik
>>>
>>>
>>
>
Received on Thu Apr 01 2010 - 18:11:06 MDT