On 27/11/10 00:53, jiluspo wrote:
> Would be posible to run tproxy in single ethernet, same subset of
> gateway, squid box, clients(squid box as gateway)?
It could be difficult at best. You cannot rely on any IP-level
networking mechanisms to get the packet handling right.
The ideal TPROXY setup works with two interfaces using TCP socket
numbers and interface MAC address to pass packets around instead of IP
address and port.
> I'm trying to run tproxy at lab on ubuntu 10.04, I dont know what else
I've had mixed reports for Ubuntu TPROXY support. The cause of the
failure reports has not been clear.
> missing/wrong. squidbox as gateway works fine without tproxy.
> This private IPs would be replaced with public IPs in production.
>
> squid box runs as gateway single ethernet.
> squidbox:
> gateway 192.168.0.254
> ip 192.168.0.123
>
> client:
> gateway 192.168.0.123
> ip 192.168.0.197
>
> root_at_ubuntu:~# uname -r
> 2.6.32-25-generic-pae
>
> cat /boot/config-`uname -r` | grep -E
> '(NF_CONNTRACK=|TPROXY|XT_MATCH_SOCKET|XT_TARGET_TPROXY)'
> CONFIG_NF_CONNTRACK=m
> CONFIG_NETFILTER_TPROXY=m
> CONFIG_NETFILTER_XT_TARGET_TPROXY=m
> CONFIG_NETFILTER_XT_MATCH_SOCKET=m
>
> iptables v1.4.4
>
> libcap-dev 1:2.17-2ubuntu1
> libcap2 1:2.17-2ubuntu1
>
> sysctl.conf
> net.ipv4.ip_forward=1
> net.ipv4.conf.lo.rp_filter=0
Some OS has to have these set for "all" interfaces as well as all the
individual ethN. I'm still trying to figure the logic behind that out.
In those cases there also needs to be a table 100 created for the public
interfaces.
>
> /tproxy script:
> {{{
> #!/bin/sh
> ip rule del fwmark 1 lookup 100
> ip route del local 0.0.0.0/0 dev lo table 100
If the above lines are doing anything the script is breaking something.
There is a very important MUST when setting TPROXY up that the table
number is not clashing/sharing with any other feature in system.
The "100" here is an arbitrary number you can change as needed.
> iptables -F
> iptables -F -t mangle
> iptables -F -t nat
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> }}}
>
> sysctl.conf:
> net.ipv4.ip_forward=1
> net.ipv4.conf.lo.rp_filter=0
>
> root_at_ubuntu:~# squid -v
> Squid Cache: Version 3.1.9
> configure options: '--prefix=/usr' '--localstatedir=/var'
> '--libexecdir=${prefix}/lib/squid' '--srcdir=.'
> '--datadir=${prefix}/share/squid' '--sysconfdir=/etc/squid'
> '--enable-async-io' '--with-pthreads' '--enable-storeio=aufs'
> '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp'
> '--enable-linux-netfilter' '--with-large-files'
> --with-squid=/root/squid-3.1.9
>
> squid.conf has
> http_port 3129 tproxy
>
>
>
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3Received on Sat Nov 27 2010 - 00:27:40 MST
This archive was generated by hypermail 2.2.0 : Sat Nov 27 2010 - 12:00:03 MST