Re: [squid-users] tproxy configuration

From: Eliezer Croitoru <>
Date: Tue, 17 Jul 2012 14:52:43 +0300

On 7/17/2012 2:07 PM, nipun_mlist Assam wrote:
> Eliezer,
> Thanks for the links. The diagram in the first link is good but I
> don't know to read that language.
> Also, squid has a bug regarding its tproxy feature, it never spoofs
> the client IP. I made a small fix for that issue, but that was one
> year back and I lost the code with the fix.
> Regards,
> Nipun Talukdar
> Bangalore
> India
there is no problem with squid and tproxy that wont spoof clients ip if
i will add it later to squid wiki.

diagram of the network: correctly.

squid config:

echo "Loading modules.."
modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre gre

#you must connect the gre tunnel to the cisco router IP identifier.

echo "changing routing and reverse path stuff.."
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "creating tunnel..."
iptunnel add wccp0 mode gre remote $CISCOIPID local $LOCALIP dev eth1
ifconfig wccp0 up

echo "creating routing table for tproxy..."
ip rule add fwmark 1 lookup 100
ip route add local dev lo table 100

echo "creating iptables tproxy rules..."
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A INPUT -s $CISCODIRIP -p udp -m udp --dport 2048 -j ACCEPT
iptables -A INPUT -i wccp0 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT

iptables -t mangle -F
iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

##start add to squid.conf
wccp_version 2
wccp2_rebuild_wait on
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
wccp2_service dynamic 80
wccp2_service dynamic 90
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80

##cisco config
conf t
ip access-list extended wccp
  permit ip any
ip access-list extended wccp_to_inside
  permit ip any
ip wccp 80 redirect-list wccp
ip wccp 90 redirect-list wccp_to_inside
!gw interface
interface FastEthernet0/0.1
  encapsulation dot1Q 1 native
  ip address
  ip wccp 80 redirect out
  ip wccp 90 redirect in
!proxy interface
interface FastEthernet0/0.100
  encapsulation dot1Q 100
  ip address
  ip wccp redirect exclude in
!clients interface
interface FastEthernet0/0.200
  encapsulation dot1Q 200
  ip address
!rotue to internet gw
ip route
##cisco config end

Eliezer Croitoru
IT consulting for Nonprofit organizations
eliezer <at>
Received on Tue Jul 17 2012 - 11:52:48 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 17 2012 - 12:00:02 MDT