Re: [squid-users] Implement Tproxy on Debian squeeze

From: 叶雨飞 <sunyucong_at_gmail.com>
Date: Fri, 2 Mar 2012 11:16:38 -0800

I think what happens is the document seems to be wrong, the kernel
already has TPROXY compiled in , look for /boot/config-xxxx and
search for TPROXY, it should says "m".

for the iptables rules, you will need to use mangle table, there's no
tproxy table anymore.

as such

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
<proxyport> \
              --tproxy-mark 0x1/0x1

on my machine ubuntu 10.04 LTS, Linux fullcenter 2.6.32-37-server
#81-Ubuntu SMP Fri Dec 2 20:49:12 UTC 2011 x86_64 GNU/Linux
I have TPROXY 4.1.0 included, not sure about debian.

[5282830.948528] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
[5282830.948533] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.

However, I do want to add an additional question , suppose my proxy
machine will be acting as network gateway to my LAN, can I simply
archive the same effect by simply
-iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT
127.0.0.1:xxxx ??? why was tproxy needed in the first place?

Thanks.

On Fri, Mar 2, 2012 at 9:33 AM, David Touzeau <david_at_touzeau.eu> wrote:
>
> There is bad news, backports did not change something according Tproxy
> Only kernel 3.2x is available on backports repository.
>
> apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae
> apt-get install -t squeeze-backports upgrade
> reboot
> my kernel is now
> Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11
> 14:57:20 UTC 2012 i686 GNU/Linux
>
>
>  iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY
> --on-port 80
> WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be
> ignored in a future release.
> iptables v1.4.8: can't initialize iptables table `tproxy': Table does not
> exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded
>
> grep -i iptables /boot/config-`uname -r`
> CONFIG_IP_NF_IPTABLES=m
> CONFIG_IP6_NF_IPTABLES=m
> # iptables trigger is under Netfilter config (LED target)
>
> SNIF, SNIF
>
>
> Le 02/03/2012 17:03, David Touzeau a écrit :
>
>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
>> TPROXY --on-port 80
Received on Fri Mar 02 2012 - 19:17:08 MST

This archive was generated by hypermail 2.2.0 : Tue Mar 06 2012 - 12:00:01 MST