Re: [squid-users] Re: TPROXY from Eliezer Croitoru on 2013-06-04 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Tue, 04 Jun 2013 10:13:21 +0300

In general tproxy works on:
Fedora(any version 10+)
Centos(5.9+)
Ubuntu(9.10+)
Gentoo(for very long time)
Debian(5+)
Slax(XX)
etc..

lots of systems works but you just don't know how to configure them...
What routing settings have you used??
take a loot at this script and change the modules exists on ubuntu:
##start
#!/bin/sh -x
echo "loading modules requierd for the tproxy"
modprobe ip_tables
modprobe xt_tcpudp
modprobe nf_tproxy_core
modprobe xt_mark
#modprobe xt_MARK
modprobe xt_TPROXY
modprobe xt_socket
modprobe nf_conntrack_ipv4
sysctl net.netfilter.nf_conntrack_acct
sysctl net.netfilter.nf_conntrack_acct=1

echo "setting routing tables for tproxy"
ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100

echo "flushing any exiting rules"
iptables -t mangle -F
iptables -t mangle -X DIVERT

echo "creating iptables rules"
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 3129 --tproxy-mark 0x1/0x1

echo "flushing routing cache"
ip route flush cache
##end

This is a 100% working tproxy script!!.
Maybe your routing system remembers the routing cache and you need to
flush it.
In many cases this can be the reason.
Also take your time and have a look at:
http://freevideolectures.com/Course/2998/Linux-Fundamentals/19
which is a 3+ lectures on how to install squid and\or\with squidguard as
transparent proxy.

I hope to put my script later on the wiki to help others understand how
to make it work.

Eliezer

On 6/3/2013 2:40 PM, alvarogp wrote:
> Hi,
>
> I have followed the same steps that in the previous case but changing the
> Operating System. Tried on:
>
> - Fedora 18
> - Kernel 3.6.10
> - IPtables 1.4.16
> - Squid 3.3.5 with Tproxy
>
> Unfortunately, is the same situation that when I was using Ubuntu. The users
> can reach Internet only if Squid is working, but any activity is registered
> in the file access.log.
>
> Is it possible that Fedora's kernel has the same problem than Ubuntu?
>
> Regards,
>
> Alvaro
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-tp4658393p4660396.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
Received on Tue Jun 04 2013 - 07:13:35 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 04 2013 - 12:00:10 MDT