Re: [squid-users] Linux + TPROXY + Remote Squid

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Thu, 31 May 2012 06:09:27 +0300

i was curios about it because the last time i setup a tproxy on debian
it took me couple minutes.
i am using debian squeeze 6.0.5 with basic 2.6.32-5-amd64 kernel and
squid 3.1.6 from debian repos and tproxy works fine for me!!
debian installed with squid3 ebtables bridge-utils .
(also tested with self built squid3.2.0.17 and squid3.1.19)

the main thing with tproxy is to allow the VM net card promiscuous mode
and on the router machine disable reverse path filter using:
sysctl -a |grep rp_filter
should all be with the value 0

i am still trying to understand what you are doing on each of the servers.

what are the networks and what are the machines and what every machine does?

what i got until now was:
W7|eth0[what ip?} -(some net)---> ethX[what ip?]--|debian_router|--[what
ip?]ethX--(some net)-->ethX[what ip?]--|squid_debian|ethX[what
ip?]--->{{{ internet}}}

please fill my gap about ethX numbers and on any MASQUERADING that happens.

notice that if you are doing DNAT there is not point at all in TPROXY
because the client IP was lost already.

output of:
iptables-save
ip route list
#if you are using some routing tables then also
ip rotue show table table_number_or_name_here

the only problem i have seen is that if i have an established session
from the client and i reload the rules i get this squid error page:
##start
ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL:
(null)://www.cnn.com/

     Invalid URL

Some aspect of the requested URL is incorrect.

Some possible problems are:

     Missing or incorrect access protocol (should be "http://" or similar)

     Missing hostname

     Illegal double-escape in the URL-Path

     Illegal character in hostname; underscores are not allowed.
Your cache administrator is webmaster.

Generated Thu, 31 May 2012 01:17:12 GMT by localhost (squid/3.1.6)
##end

i will check with the latest squid version.

i am using this script to load the iptables rules:

#start
#!/bin/sh -x
##!/bin/sh -x
#load modules requierd for the tproxy
modprobe ip_tables
modprobe nf_conntrack_ipv4
modprobe xt_tcpudp
modprobe nf_tproxy_core
modprobe xt_MARK
modprobe xt_TPROXY
modprobe xt_socket

sysctl net.netfilter.nf_conntrack_acct
sysctl net.netfilter.nf_conntrack_acct=1
ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100

echo "flushing any exiting rules"
iptables -t mangle -F
iptables -t mangle -X DIVERT

echo "creating rules"
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
##end

this one for ebtables:

#start
#!/bin/sh -x
CLIENT_IFACE="eth1"
INET_IFACE="eth0"

ebtables -t broute -F
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target ACCEPT

ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport
80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport
80 -j redirect --redirect-target DROP

cd /proc/sys/net/bridge/

for i in *
  do
    echo 0 > $i
  done
unset i
#end

Eliezer

On 25/05/2012 17:35, Thomas York wrote:
> I have a lab environment set up using two Debian Wheezy servers (Squeeze
> doesn't have a new enough kernel or iptables to do TPROXY properly). One of
> the servers is a router and the other is a proxy server. There are several
> clients connected to the router to simulate a production routing
> environment. If I have both the TPROXY redirection and Squid on the same
> server, Squid handles the requests and everything works perfectly. However,
> this isn't how I want the proxy to be configured in our production
> environment. I've changed my iptables rules on the router to redirect all
> tagged 1 packets to the proxy server. This is working perfectly fine and I
> can see the data being routed to the proxy server using tcpdump on both the
> router and the proxy. However, Squid on the proxy server doesn't seem to
> 'see' the data being routed and doesn't do anything with it. I have
> "http_port 3129 tproxy" set on the proxy server. Is there anything special I
> need to do using iptables on the proxy server?
>
> Both servers are running kernel 3.2.0-2-amd64 and iptables 1.4.13 from
> Wheezy and the Squid being used on the proxy is 3.1.19. If any more
> information is needed, please just let me know and I'd be happy to supply
> it. Thanks.
>
> --Thomas York

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
Received on Thu May 31 2012 - 03:09:39 MDT

This archive was generated by hypermail 2.2.0 : Thu May 31 2012 - 12:00:05 MDT