Re: [squid-users] Re: transparent (intercepting?) without wccp, options?

From: Eliezer Croitoru <>
Date: Fri, 06 Jul 2012 17:42:22 +0300

On 7/6/2012 5:16 AM, Ezequiel Birman wrote:
>>>>>> "Eliezer" == Eliezer Croitoru <> writes:
> > On 7/5/2012 4:48 AM, Ezequiel Birman wrote:
> > dont worry! i dont know anyone that masters linux and got it all
> > from books he didnt bout :)
> XD I meant, of course, the two squid books, Begginer's Guide and
> advanced. Anyway, if i get this right maybe I'll write a tutorial
> myself.
it's nice to read these books but most of what you need to know is just
out there waiting for you to read.
> I am using CentOS 6.2, for no better reason that I use fedora at home.
> Bridge is working, then installed squid via yum.
> squid-3.1.10-1.el6_2.4.x86_64
for centos 6.X you can use fedore 16 rpm of latest squid version.
the 3.1.10 is pretty old..

will give you some other rpm files for 3.1.19

> What now? If I understand correctly, I need to set up rules in ebtables
> to drop (deviate) http packets. Then set iptables in order to redirect
> to port 3129 (tproxy), and that's it? Am I right?
> In I
> see rules applied to eth0, should i rewrite br0 in place of eth0?
> Should i copy the setup from
> without changes?
> Already did: "setsebol -P squid_connect_any=1 squid_use_tproxy=1". By
> the way, i think setsebol variables don't accept "yes" as a value.
> Anything else?
> Thanks for your time
i would start with selinux off because you probably wont need it for
this system and it will make sure that squid runs and after that you can
try to use full selinux setup.

the next step are:
setup squid for tproxy at port 3129 on all interfaces but the 3128 only
on loopback if you dont want clients to access it directly.
http_port 3129 tproxy
you also need to allow access for the lan clients in the acls.
set the cache dir size etc..

load iptables modules + iptables rules.
load ebtables rules

the rp thing should be set for the real interfaces.
i will give you my tproxy script.


ebtables -t broute -F
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $INET_IFAC -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP

cd /proc/sys/net/bridge/

for i in *
    echo 0 > $i
unset i

#i like to load the iptables modules by myself:
modprobe ip_tables
modprobe xt_tcpudp
modprobe nf_tproxy_core
modprobe xt_MARK
modprobe xt_TPROXY
modprobe xt_socket
modprobe nf_conntrack_ipv4
sysctl net.netfilter.nf_conntrack_acct=1

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 2 > $i

#add routes
ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100

echo "flushing any exiting rules"
iptables -t mangle -F
iptables -t mangle -X DIVERT

echo "creating rules"
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -s
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

#i use conntrack to flush the old sessions so all the new ones will be
redirected to squid.
conntrack -F
#i have used a router so i needed to flush the routes cache
ip -s route flush cache


Eliezer Croitoru
IT consulting for Nonprofit organizations
eliezer <at>
Received on Fri Jul 06 2012 - 14:42:31 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 09 2012 - 12:00:01 MDT