[squid-users] RE: RE: Tproxy Syn/Ack Problem

From: Daniel Echizen <napala_at_gmail.com>
Date: Thu, 3 May 2012 21:22:27 -0300

Thanks for reply.. but no luck.. this is very frustrating .. im
starting to thinking is something with mikrotik
anyone knows how i look where syn/ack is getting dropped? i can i see
is that syn/ack arrives from server but cannot reach client in the
mikotik router..

if you have  a Thread you better stick to it.

my tproxy setup on ubunutu 11.10 amd64
i'm using one script to start the tproxy services on this machine.
i have seen things about the ebtables should be on DROP but the only
way i could make it work was to accept the connections with EBTABLES.
as i remember you might need to add a "ACCEPT" rules before the "DROP"
ones in the ebtables.

this script is from couple of month ago but it worked perfectly.
hope it will help you.

#!/bin/sh -x
#turning iptables modules on
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe xt_mark
modprobe xt_socket
modprobe nf_tproxy_core
modprobe xt_TPROXY
modprobe xt_tcpudp
modprobe nf_conntrack
modprobe nf_conntrack_ipv4

#building bridge
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
pkill dhc

ifconfig eth0 up
ifconfig eth1 up

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 192.168.10.119
#adding route for bridge
route add default gw 192.168.10.201
#
echo "nameserver 192.168.10.201">/etc/resolv.conf

#tproxy settings
ip route flush table 100
ip rule del fwmark 1 lookup 100

ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -F
iptables -t mangle -X DIVERT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

##!/bin/sh
CLIENT_IFACE="eth1"
INET_IFACE="eth0"

ebtables -t broute -F

ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT

ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP

ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target ACCEPT

ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP

cd /proc/sys/net/bridge/

for i in *
do
 echo 0 > $i
done
unset i

#Changes in /etc/sysctl.conf \ sysctl

sysctl net.ipv4.ip_forward=1
sysctl net.netfilter.nf_conntrack_acct=1
sysctl net.ipv4.conf.lo.rp_filter=0
Received on Fri May 04 2012 - 00:22:55 MDT

This archive was generated by hypermail 2.2.0 : Fri May 04 2012 - 12:00:02 MDT