[squid-users] TPROXY Configuration

From: Roman Gelfand <rgelfand2_at_gmail.com>
Date: Wed, 6 Feb 2013 09:27:27 -0500

I have configured the tproxy as follows, but it appears packets are
not hitting squid. Please note, the wccp configuration on the router
is already working with squid http_port transparent configuration and,
obviously, different iptables configuration. Any help is appreciated.

Thanks in advance.

squid.conf
---------------

http_port 3228 tproxy
https_port 3229 tproxy ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt
key=/etc/ssl/private/domain.key

# FortiGate interface of wccp
wccp2_router 192.168.5.1

wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=240 ports=80,443

wccp2_service dynamic 95
wccp2_service_info 95 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80,443

# tunneling method GRE for forward traffic
wccp2_forwarding_method 1

# tunneling method GRE for return traffic
wccp2_return_method 1

# Assignemment method (default), only relevant if multiple caches used
wccp2_assignment_method 1

# wccp weight (default) ,only relevant if multiple caches used
wccp2_weight 10000

# which interface to use for WCCP (0.0.0.0 determines the interface
from routing)
wccp2_address 0.0.0.0

rc.local
-----------

modprobe ip_gre
modprobe ip_tables
modprobe x_tables
ip tunnel add wccp0 mode gre remote 192.168.5.1 local 192.168.5.21 dev eth0
ip addr add 192.168.5.21/32 dev wccp0
ip link set wccp0 up

# Route to send the content back to the GRE tunnel
route add -net {wan interface ip} netmask 255.255.255.255 dev wccp0

# Disabling reverse path filtering and enable routing in the kernel
echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setup the redirection of traffic from the GRE tunnel to squid port 3128

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3228
iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 443 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3229

exit 0
Received on Wed Feb 06 2013 - 14:27:34 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 06 2013 - 12:00:03 MST