Re: [squid-users] TPROXY Interception and Multiples ISP Rules (Shorewall) dont work

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 09 May 2012 13:31:59 +1200

On 09.05.2012 13:10, Eliezer Croitoru wrote:
> On 09/05/2012 03:19, Amos Jeffries wrote:
>> On 09.05.2012 03:07, Vinicius R. Baenas wrote:
>>> Hello,
>>>
>>> I wonder if someone could use the TPROXY with Shorewall and
>>> transparent Squid with using the routing rules on shorewall
>>> (tcrules)
>>> for hosts / networks (LAN) with multiples providers (WANs) directly
>>> from the internal network on port 80 (with TPROXY transparent squid
>>> or
>>> REDIRECT).
>>> On this issue, the routing rules is not work propertly because the
>>> source is the firewall ($FW) not the hosts or networks (LAN).
>>> My guess is the TPRoxy interception (spoofing) is not working...
>>> Thank you...
>>
>>
>> REDIRECT uses NAT which erases the IP addresses and would always
>> lead to
>> the behaviour you describe.
>>
>> TPROXY would only result in such behaviour if not working. But you
>> don't
>> say what software versions you have on the box running Squid. TPROXY
>> is
>> new enough that specific minimum versions are still very important
>> and
>> bugs exist in uncommon use-cases.
>> wiki.squid-cache.org/Features/Tproxy4
>> covers the specifics.
>>
>> Amos
>>
> i was curios about it and found out that Shorewall is using iptables
> mark to loadbalance and direct\route traffic in a multi-wan setup so
> it's pretty obvious why this accrues for tproxy.
> if it uses some prerouting mangle to mark the packets,
> then they are remarked for tproxy and the whole multi-wan
> setup\settings is useless.
> that is why it's better used on a routing level while using tproxy.
>
> Eliezer

Hmm. Interesting point.

NP: I'm not sure I understand the kernel specifics properly so this may
be a bit off...

TPROXY and DIVERT targets use the iptables the mark/mask format of
tagging 0x1/0x1. So it should be possible to either change the
documented marking value and mask from 0x1 to another which fits in with
whatever the other MARKs use.

Amos
Received on Wed May 09 2012 - 01:32:04 MDT

This archive was generated by hypermail 2.2.0 : Wed May 09 2012 - 12:00:02 MDT