Re: [squid-users] Tproxy Syn/Ack Problem from Eliezer Croitoru on 2012-05-03 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Thu, 03 May 2012 10:26:49 +0300

if you have a Thread you better stick to it.

my tproxy setup on ubunutu 11.10 amd64
i'm using one script to start the tproxy services on this machine.
i have seen things about the ebtables should be on DROP but the only way
i could make it work was to accept the connections with EBTABLES.
as i remember you might need to add a "ACCEPT" rules before the "DROP"
ones in the ebtables.

this script is from couple of month ago but it worked perfectly.
hope it will help you.

#!/bin/sh -x
#turning iptables modules on
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe xt_mark
modprobe xt_socket
modprobe nf_tproxy_core
modprobe xt_TPROXY
modprobe xt_tcpudp
modprobe nf_conntrack
modprobe nf_conntrack_ipv4

#building bridge
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
pkill dhc

ifconfig eth0 up
ifconfig eth1 up

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 192.168.10.119
#adding route for bridge
route add default gw 192.168.10.201
#
echo "nameserver 192.168.10.201">/etc/resolv.conf

#tproxy settings
ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -F
iptables -t mangle -X DIVERT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

##!/bin/sh
CLIENT_IFACE="eth1"
INET_IFACE="eth0"

ebtables -t broute -F

ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT

ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP

ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target ACCEPT

ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP

cd /proc/sys/net/bridge/

for i in *
  do
    echo 0 > $i
  done
unset i

#Changes in /etc/sysctl.conf \ sysctl

sysctl net.ipv4.ip_forward=1
sysctl net.netfilter.nf_conntrack_acct=1
sysctl net.ipv4.conf.lo.rp_filter=0

On 03/05/2012 04:32, Daniel Echizen wrote:
> Hi list..
>
> A already hav posted my problem in the list before, but i'll try to
> put more detail after alot of research.
>
> My problem is, i have a squidbox working as a tproxy, all work fine
> except some clients that have wireless router (tplink and another
> brand) sharing their connection.
> my topology is internet<----> squidbox (bridge)<----> mikrotik
> (pppoe-server)<-----> clients
>
> squidbox under debian lenny 5.0, kernel version 3.3.4, iptables
> 1.4.13, ebtables 2.0.10-4, squid 3.1
>
> squidbox is the gateway but i have tested without too.
>
> in tcpdump i can see that connection from the problematic client dies
> after syn/ack like above:
>
> 06:17:49.782874 IP 177.x.x.182.41375> 177.43.198.34.80: S
> 2780380743:2780380743(0) win 8192<mss 1440,nop,nop,sackOK>
> 06:17:49.782898 IP 177.43.198.34.80> 177.x.x.182.41375: S
> 4043086738:4043086738(0) ack 2780380744 win 14600<mss
> 1460,nop,nop,sackOK>
> 06:17:50.815675 IP 177.x.x.182.41372> 74.125.234.73.80: S
> 3452097232:3452097232(0) win 8192<mss 1440,nop,wscale
> 2,nop,nop,sackOK>
> 06:17:50.815690 IP 74.125.234.73.80> 177.x.x.182.41372: S
> 3646761972:3646761972(0) ack 3452097233 win 14600<mss
> 1460,nop,nop,sackOK,nop,wscale 7>
> 06:17:50.929351 IP 177.43.198.34.80> 177.x.x.182.41375: S
> 4043086738:4043086738(0) ack 2780380744 win 14600<mss
> 1460,nop,nop,sackOK>
> 06:17:51.085337 arp who-has 177.x.x.182 tell 177.x.x.11
> 06:17:51.086195 arp reply 177.x.x.182 is-at 00:27:19:d4:b4:27
> 06:17:51.329317 IP 74.125.234.73.80> 177.x.x.182.41372: S
> 3646761972:3646761972(0) ack 3452097233 win 14600<mss
> 1460,nop,nop,sackOK,nop,wscale 7>
> 06:17:52.776117 IP 177.x.x.182.41375> 177.43.198.34.80: S
> 2780380743:2780380743(0) win 8192<mss 1440,nop,nop,sackOK>
> 06:17:52.776130 IP 177.43.198.34.80> 177.x.x.182.41375: S
> 4043086738:4043086738(0) ack 2780380744 win 14600<mss
> 1460,nop,nop,sackOK>
> 06:17:52.929358 IP 177.43.198.34.80> 177.x.x.182.41375: S
> 4043086738:4043086738(0) ack 2780380744 win 14600<mss
> 1460,nop,nop,sackOK>
>
> 177.x.x.182 is client IP
> 177.x.x.11 is squidbox IP
>
> my config is:
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> /sbin/iptables -v -t mangle -N DIVERT
> /sbin/iptables -v -t mangle -A DIVERT -j MARK --set-mark 1
> /sbin/iptables -v -t mangle -A DIVERT -j ACCEPT
> /sbin/iptables -v -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 5128
>
> /usr/local/sbin/ebtables -t broute -A BROUTING -i eth4 -p ipv4
> --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
> /usr/local/sbin/ebtables -t broute -A BROUTING -i eth3 -p ipv4
> --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
>
> cd /proc/sys/net/bridge/
> for i in *
> do
> echo 0> $i
> done
> unset i
>
> echo 0> /proc/sys/net/ipv4/conf/lo/rp_filter
> echo 0> /proc/sys/net/ipv4/conf/all/rp_filter
> echo 1> /proc/sys/net/ipv4/ip_forward
>
> hope someone help.. dont know how to track where syn/ack is dying or
> getting drop

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

Received on Thu May 03 2012 - 07:27:02 MDT

This archive was generated by hypermail 2.2.0 : Thu May 03 2012 - 12:00:02 MDT