Re: [squid-users] yahoo mail problem with tproxy (squid 3.1.19, kernel 3.2.21)

From: Eliezer Croitoru <>
Date: Sat, 21 Jul 2012 05:46:05 +0300

On 7/21/2012 3:15 AM, Ming-Ching Tiew wrote:
> ----- Original Message -----
>> From: Ming-Ching Tiew <>
>> rc.local attached.
> Attachment rejected so re-post inline below :-
i got it all in the private mail.
> #!/bin/sh
> #
> # This script will be executed *after* all the other init scripts.
> # You can put your own initialization stuff in here if you don't
> # want to do the full Sys V style init stuff.
> touch /var/lock/subsys/local
> ifconfig eth0 up
> ifconfig eth1 up
> brctl addbr br0
> brctl addif br0 eth0
> brctl addif br0 eth1
> ifconfig br0 up
> ip route add default via
> MODE=tproxy
> if [ "$MODE" = "tproxy" ]
> then
> ebtables -t broute -F BROUTING
> ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-protocol tcp \
> --ip-destination-port 80 -j redirect --redirect-target DROP
> ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-protocol tcp \
> --ip-source-port 80 -j redirect --redirect-target DROP
> ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-protocol tcp \
> --ip-destination-port 80 -j redirect --redirect-target DROP
> ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-protocol tcp \
> --ip-source-port 80 -j redirect --redirect-target DROP
i think you misunderstood the way bridge works any why you put the
because your whole script in intercept or tproxy modes are out of order.
since you are using the machine only as bridge and not Bridge+router
it's different thing about how you should look at it.
bridge works at Layer 2 level of packets.
there should not be a bridge loop!! such as one switch and the two NICs
connected to it (managed switch\VLANS is another story).
Bridge is a one way ticket for the packets.
requests for web pages comes only from one interface (unless you are
hosting a web server in the lan behind the bridge adn this is another story)
i dont know what in what side this GW is sitting in the
network but for the example i will say that it sits behind eth1 interface.

i will give you a starter on bridge.
the idea is:
packet--> eth0-->

          {is this packet for}
bridge {me? if not me maybe }
thinkgs {someone on eth1? if so}
        {transmit it to eth1 or}
           { me. else ignore the}
          {packet. }
packet in bridge ---> eth1--->gw

the ACCEPT rule of ebtables is the above logic.
the DROP rule of ebtables is actually another thing:
packet-->eth0-->BROUTE = DROP--> route\forward the packet using the
local machine firewall and routes rules.

so what you just need for ebtables is two rules:
all packets the are destined to the web om port 80.. route them into the
machine... later will be intercepted by tproxy so:
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-protocol tcp \
--ip-destination-port 80 -j redirect --redirect-target DROP

and every packet that comes from the internet from port 80 (web server)
should be always get to the proxy as it's an answer to squid request
either tproxy or intercept.
the only difference with intercept mode is that:
the packet that comes back from the internet destination is the proxy
and on any case the bridge will send it to the proxy.

so to intercept web answers to the proxy you need the rules:
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-protocol tcp \
  --ip-source-port 80 -j redirect --redirect-target DROP

and that is it for the bridge.


> cd /proc/sys/net/bridge
> for i in *
> do
> echo 0 > $i
> done
> iptables -t mangle -F
> iptables -t nat -F
> iptables -t mangle -F PREROUTING
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
> --tproxy-mark 0x1/0x1 --on-port 3129
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> ip rule delete fwmark 1/1 lookup 150 2>/dev/null
> ip rule add fwmark 1/1 lookup 150
> ip route flush table 150
> ip route add local dev lo table 150
> for i in /proc/sys/net/ipv4/conf/*/rp_filter
> do
> echo 0 > $i
> done
this is a very very wrong thing to do!
make a static decision.
if you want an intercept port use another one and make them both static
and dont play every boot "sed" with squid.conf.

> sed -i -e 's/http_port 3129.*/http_port 3129 tproxy/' /etc/squid/squid.conf
> else
> # intercepting nat MODE
> ebtables -t broute -F
> ebtables -t broute -A BROUTING -p ipv4 --ip-protocol tcp --ip-source-port 80 \
> -j redirect --redirect-target ACCEPT
> iptables -t nat -F
> iptables -t mangle -F
> iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3129
> sed -i -e 's/http_port 3129.*/http_port 3129 intercept/' /etc/squid/squid.conf
> fi
the above are bad because you are doing the same mistake of which
declaring you dont understand how bridge works.
the "--redirect-target ACCEPT" is actually means: pass the packet to the
other side of the bridge or more precisely do transfer the packet to the
next levels of the bridge.

after all this a good way to understand bridges is:
have great diagrams and packets flows.

so the rules you actually need is:
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-protocol tcp \
  --ip-destination-port 80 -j redirect --redirect-target DROP
iptables -t nat -A PREROUTING -m physdev --physdev-in eth0 -p tcp
--dport 80 -j REDIRECT \ --to-port 3129

if you are willing to be explicit.
byt actually only the iptables rules will be sufficient to make the
drill in intercept mode.
the bridge rule in this case is just to make it sooner a routing issue
then a bridge issue.

just as a note this diagram:
from left to right shows only two points in ebtables that can make your
clients get into squid.
link layer BROUTING (BLUE) or link layer NAT(green)PREROUTING.

> # Default Fedora DVD installation has rules which must be deleted
> iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
> echo 1 > /proc/sys/net/ipv4/ip_forward

first try to change the settings to make them somehow genuine.
the next step is to understand that yahoo mail is mostly https traffic
which will not pass through squid.
if you do still get problems the it can be because of another network
issue that is related to the way you implemented your bridge in the

how this machine cables are setup? switch..router..client etc..
in my setup fedora 15 works ok.

it seems like another issue then squid itself.
if nat\redirect works fine in most cases it a matter of mac level
filtering since bridge do forward packet without mangling the src mac
address and while tproxy socket *DO* use the mac address of the src.

it seems like the wiki is indeed missing some explanation on bridge and


Eliezer Croitoru
IT consulting for Nonprofit organizations
eliezer <at>
Received on Sat Jul 21 2012 - 02:46:15 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 21 2012 - 12:00:03 MDT