Re: [squid-users] TPROXY4 + Fedora 13

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 11 Jul 2010 20:19:54 +1200

Damian O'Neill wrote:
> Hi Guys, first post.
>
> I know there is a lot of material about configuring Squid in Interception Mode in the wiki / lists, like others I'm struggling to understand where problems might exist, currently I have only got as far as routing, ideally I would like a bridged solution. I want to describe completely what my configuration is I think this maybe useful to other users.
>
> I have based my installation on the information on this page: http://wiki.squid-cache.org/Features/Tproxy4 Overall I think the posting is clear, I think it could be improved by adding commands that demonstrate whether the configuration just applied succeeded or not.
>
> My approach is that ideally I could use a distro for the base and inherit everything I need without having to compile code / kernel / etc.
>
> Using Fedora 13 I get the following binaries, comparing these to the prereqs the are all > the defined versions:
>
> Kernel: 2.6.33.5-124
> iptables: 1.4.7-2
> Squid: 3.1.4-2
> libcap: 2.17-1
>
>
> The Fedora 13 distro has the following Kernel options set:
>
> CONFIG_NF_CONNTRACK=y
> CONFIG_NETFILTER_TPROXY=m
> CONFIG_NETFILTER_XT_MATCH_SOCKET=m
> CONFIG_NETFILTER_XT_TARGET_TPROXY=m
>
>
> From the squid.spec from the src rpm shipped with Fedora 13 i.e. squid-3.1.4-2.fc13.src.rpm I can see that the enable linux netfilter is configured
>
>
> ...
> ...
>
> %ifnarch ppc64 ia64 x86_64 s390x
>
> --with-large-files \
>
> %endif
> --enable-linux-netfilter \
>
> --enable-referer-log \
>
> --enable-removal-policies="heap,lru" \
>
> --enable-snmp \
>
> ...
> ...
>
>
> lsmod on the Squid Host shows tproxy module loaded.
>
> Module Size Used by
> sunrpc 192013 1
> cpufreq_ondemand 8420 4
> acpi_cpufreq 7477 1
> freq_table 3851 2 cpufreq_ondemand,acpi_cpufreq
> iptable_nat 5420 0
> nf_nat 19059 1 iptable_nat
> xt_TPROXY 2102 1
> xt_socket 2525 1
> nf_tproxy_core 2163 2 xt_TPROXY,xt_socket,[permanent]
> xt_MARK 1007 1
> iptable_mangle 3107 1
> ip6t_REJECT 4055 2
> nf_conntrack_ipv6 17513 2
> ip6table_filter 2743 1
> ip6_tables 16558 1 ip6table_filter
> ipv6 267033 36 ip6t_REJECT,nf_conntrack_ipv6
> uinput 7230 0
> tg3 103314 0
> pl2303 14822 0
> usbserial 32421 1 pl2303
> i3200_edac 3104 0
> serio_raw 4539 0
> edac_core 37487 2 i3200_edac
> iTCO_wdt 10864 0
> iTCO_vendor_support 2451 1 iTCO_wdt
> i2c_i801 10086 0
> microcode 17930 0
> radeon 589438 0
> ttm 53215 1 radeon
> drm_kms_helper 23936 1 radeon
> drm 169073 3 radeon,ttm,drm_kms_helper
> i2c_algo_bit 4781 1 radeon
> i2c_core 24507 5 i2c_i801,radeon,drm_kms_helper,drm,i2c_algo_bit
>
>
>
>
>
>
> My setup is as follows:
>
> Client (172.27.5.109) -> Squid Host (172.27.5.104) -> Gateway (172.27.5.1)
>
> Internet access from Squid Host is working correctly.
>
>
>
>
> # cat /proc/sys/net/ipv4/conf/lo/rp_filter; cat /proc/sys/net/ipv4/ip_forward
> 0
> 1
>
>
> I modified the default /etc/squid/squid.conf and added the following:
>
> acl our_networks src 172.27.1.0/24 172.27.2.0/24 172.27.3.0/24 172.27.4.0/24 172.27.5.0/24 172.27.6.0/24 172.27.7.0/24
> http_access allow our_networks
>
> ...
>
> # Squid normally listens to port 3128
> http_port 3128
> http_port 3129 tproxy
>
>
> I was getting an error about TPROXY not being present, I disabled selinux as suggested in the wiki page and startup proceeded ok.
>
>
>
> Start Squid and netstat the port 3128 is there and I can connect directly to it and get back content (access.log / cache.log content is as expected)
>
>
> Completing the router configuration as per http://wiki.squid-cache.org/Features/Tproxy4#iptables on a Router device I get the following:
>
> ip rule show
> 0: from all lookup local
> 32765: from all fwmark 0x1 lookup 100
> 32766: from all lookup main
> 32767: from all lookup default
>
>
>
>
> NOTE, should there be more values here? If I do not run ip rule add fwmark 1 lookup 100 I get an empty response no values
>
> # ip route list table 100
> local default dev lo scope host
>

Our config made with kernel 2.6.30 on Linux seems to be slightly
deficient on some systems with higher security boundaries between lo and
other devices.

The report on netfilter was that setting "ip route add local 0.0.0.0/0
dev lo table 100" for each different device on the box solved the problem.

NP: just updated wiki to mention this.

<snip>
The rest looks okay, apart form eth1 not having an IP.

>
> In this configuration I can connect directly to 3128 using firefox and return webpages. Turning the proxy setting off in Firefox the browser hangs then times out.
>
> From the client if I try to ping an address in the internet the ping hangs.

That is a sign of some routing network problem right there. ICMP
protocol (ping) is not supposed to be involved with TPROXY (which is
HTTP over TCP only).

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.5
Received on Sun Jul 11 2010 - 08:20:02 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 11 2010 - 12:00:03 MDT