Re: [squid-users] Re: squid tproxy problem from Amos Jeffries on 2011-08-18 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 19 Aug 2011 00:20:52 +1200

On 18/08/11 22:51, Benjamin wrote:
> I tested interception in bridge mode with current setup.that is working
> fine.but when i configure tproxy , it is not working.Please guide me for
> that.
>
> Thanks,
> Benjo
>> Hi,
>>
>> Any suggestions please.
>>
>> My Current Network Setup:
>>
>> WAN ROUTER(114.30.XX.1 --- public ip)
>> |
>> |
>> |
>> SWITCH
>> |
>> |
>> |
>> SQUID BOX (114.30.XX.19 gw: 114.30.XX.1) ( bridge mode)
>> |
>> |
>> |
>> BANDWITH MGMT. LINUX BOX ( 114.30.XX.10 gw: 114.30.XX.1)
>> |
>> |
>> |
>> END USERS ( mix with private ips and public ips )
>>
>>
>> at squid box : eth0 ----->internet( cable from switch)
>> eth1-----> cable connected to BANDWITH MGMT. LINUX BOX)
>>
...
>>> ebtables -t broute --list
>>> Bridge table: broute
>>>
>>> Bridge chain: BROUTING, entries: 2, policy: ACCEPT
>>> -p IPv4 -i eth0 --ip-proto tcp --ip-dport 80 -j redirect
>>> -p IPv4 -i eth1 --ip-proto tcp --ip-sport 80 -j redirect

Unless you changed the config between posts that means port 80 traffic
_from_ the Internet is being passed to the proxy. Same for traffic
received _from_ internal web servers.

According to the cabling diagram that should be:
-i eth0 --ip-sport 80
-i eth1 --ip-dport 80
... or plug the cables the other way around.

Alternatively, and at least for testing. Drop the -i NIC parameters
entirely and route everything to or from port 80.

<from earlier in the thread>
>
> iptables -L -nvx -t mangle
> Chain PREROUTING (policy ACCEPT 959157 packets, 79545939 bytes)
> pkts bytes target prot opt in out source
> destination
> 10993 689414 DIVERT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 socket
> 16765 1000259 TPROXY tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
> 0x1/0x1
>
...
> OS CENTOS 6 64 bit
> squid : 3.1.4
> KERNEL : 2.6.32-71.29.1.el6.x86_64

Indeed this shows some packets that should be showing up in Squid logs.
As TCP_DENIED visitors if my assessment of the ebtables rules is
correct. But either way, showing up.

This looks a LOT like the problem Debian Lenny and Ubuntu Lucid have.
They also had kernels from early 2.6.3n numbers. Indeed going back to my
notes (in the wiki):
"2.6.32 to 2.6.34 have bridging issues on some systems. Please use
2.6.30 or 2.6.31 for production machines, they seem to work properly."

I wrote that while monitoring TPROXY related patches going into the
kernel. About the time 2.6.36 came out.
So if you can, 2.6.35 or later should work (the later the better). Most
people working with Debian Squeeze (kernel 2.6.37+) have had no problems
AFAICT. That success should be mirrored in other distros on the similar
kernel versions.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.10

Received on Thu Aug 18 2011 - 12:20:58 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 18 2011 - 12:00:04 MDT