Re: [squid-users] Implement Tproxy on Debian squeeze from E.S. Rosenberg on 2012-03-05 (squid-users)

From: E.S. Rosenberg <esr_at_g.jct.ac.il>
Date: Tue, 6 Mar 2012 00:42:52 +0200

2012/3/2 Yucong Sun (叶雨飞) <sunyucong_at_gmail.com>:
> I think what happens is the document seems to be wrong, the kernel
> already has TPROXY compiled in , look for /boot/config-xxxx and
> search for TPROXY, it should says "m".
>
> for the iptables rules, you will need to use mangle table, there's no
> tproxy table anymore.
>
> as such
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
> <proxyport> \
> --tproxy-mark 0x1/0x1
>
>
> on my machine ubuntu 10.04 LTS, Linux fullcenter 2.6.32-37-server
> #81-Ubuntu SMP Fri Dec 2 20:49:12 UTC 2011 x86_64 GNU/Linux
> I have TPROXY 4.1.0 included, not sure about debian.
>
> [5282830.948528] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
> [5282830.948533] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
>
>
> However, I do want to add an additional question , suppose my proxy
> machine will be acting as network gateway to my LAN, can I simply
> archive the same effect by simply
> -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT
> 127.0.0.1:xxxx ??? why was tproxy needed in the first place?
As far as I understood it you would use tproxy if you want to expose
your "internal" IPs to the other side, so if for instance my internal
network is actually a publicly routable block and I don't want to NAT
that then you use tproxy, whereas the effect of the rule you write
above is basically NAT in that the original source will be invisible
to the destination.

But I may not have understood things right...
Regards,
Eli
>
> Thanks.
>
> On Fri, Mar 2, 2012 at 9:33 AM, David Touzeau <david_at_touzeau.eu> wrote:
>>
>> There is bad news, backports did not change something according Tproxy
>> Only kernel 3.2x is available on backports repository.
>>
>> apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae
>> apt-get install -t squeeze-backports upgrade
>> reboot
>> my kernel is now
>> Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11
>> 14:57:20 UTC 2012 i686 GNU/Linux
>>
>>
>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY
>> --on-port 80
>> WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be
>> ignored in a future release.
>> iptables v1.4.8: can't initialize iptables table `tproxy': Table does not
>> exist (do you need to insmod?)
>> Perhaps iptables or your kernel needs to be upgraded
>>
>> grep -i iptables /boot/config-`uname -r`
>> CONFIG_IP_NF_IPTABLES=m
>> CONFIG_IP6_NF_IPTABLES=m
>> # iptables trigger is under Netfilter config (LED target)
>>
>> SNIF, SNIF
>>
>>
>> Le 02/03/2012 17:03, David Touzeau a écrit :
>>
>>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
>>> TPROXY --on-port 80
Received on Mon Mar 05 2012 - 22:42:59 MST

This archive was generated by hypermail 2.2.0 : Tue Mar 06 2012 - 12:00:02 MST