Re: [squid-users] tproxy configuration from Eliezer Croitoru on 2012-07-17 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Tue, 17 Jul 2012 14:52:43 +0300

On 7/17/2012 2:07 PM, nipun_mlist Assam wrote:
> Eliezer,
>
> Thanks for the links. The diagram in the first link is good but I
> don't know to read that language.
>
> Also, squid has a bug regarding its tproxy feature, it never spoofs
> the client IP. I made a small fix for that issue, but that was one
> year back and I lost the code with the fix.
>
> Regards,
> Nipun Talukdar
> Bangalore
> India
>
>
<SNIP>
there is no problem with squid and tproxy that wont spoof clients ip if
i will add it later to squid wiki.

diagram of the network:
http://www1.ngtech.co.il/squid/wccp2.pngsetup correctly.

squid config:
##start wccp2.sh
#!/usr/bin/bash

echo "Loading modules.."
modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre gre

LOCALIP="10.80.2.2"
CISCODIRIP="10.80.2.1"
#you must connect the gre tunnel to the cisco router IP identifier.
CISCOIPID="192.168.10.127"

echo "changing routing and reverse path stuff.."
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "creating tunnel..."
iptunnel add wccp0 mode gre remote $CISCOIPID local $LOCALIP dev eth1
ifconfig wccp0 127.0.1.1/32 up

echo "creating routing table for tproxy..."
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo "creating iptables tproxy rules..."
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A INPUT -s $CISCODIRIP -p udp -m udp --dport 2048 -j ACCEPT
iptables -A INPUT -i wccp0 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT

iptables -t mangle -F
iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
##end

##start add to squid.conf
wccp2_router 10.80.2.1
wccp_version 2
wccp2_rebuild_wait on
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
wccp2_service dynamic 80
wccp2_service dynamic 90
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80
##end

##cisco config
conf t
ip access-list extended wccp
  permit ip 10.80.3.0 0.0.0.255 any
ip access-list extended wccp_to_inside
  permit ip any 10.80.3.0 0.0.0.255
exit
ip wccp 80 redirect-list wccp
ip wccp 90 redirect-list wccp_to_inside
!gw interface
interface FastEthernet0/0.1
  encapsulation dot1Q 1 native
  ip address 192.168.10.127 255.255.255.0
  ip wccp 80 redirect out
  ip wccp 90 redirect in
exit
!proxy interface
interface FastEthernet0/0.100
  encapsulation dot1Q 100
  ip address 10.80.2.1 255.255.255.0
  ip wccp redirect exclude in
exit
!clients interface
interface FastEthernet0/0.200
  encapsulation dot1Q 200
  ip address 10.80.3.1 255.255.255.0
exit
!rotue to internet gw
ip route 0.0.0.0 0.0.0.0 192.168.10.201
end
##cisco config end

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

Received on Tue Jul 17 2012 - 11:52:48 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 17 2012 - 12:00:02 MDT