Re: [squid-users] Configuration as of page TProxy4

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Wed, 26 Feb 2014 08:50:37 +0200

OK tested couple things now.
With CentOS and ELREPO kernel it seem to work at least in a nat mode of
the router.
I would not fully test tproxy for now due to couple restrictions but it
is possible and needed to be tested.
when the client(windows vista) tries to access the internet using
192.168.11.254 which is a router with nat and tproxy.
the reuslt and tcpdump is like that:
# tcpdump -i p7p1 -n port http
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p7p1, link-type EN10MB (Ethernet), capture size 65535 bytes

08:44:46.347153 IP 192.168.11.100.50862 > 212.199.219.222.http: Flags
[S], seq 3055074151, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
08:44:46.347226 IP 212.199.219.222.http > 192.168.11.100.50862: Flags
[S.], seq 178638172, ack 3055074152, win 29200, options [mss
1460,nop,nop,sackOK,nop,wscale 7], length 0
08:44:46.347389 IP 192.168.11.100.50862 > 212.199.219.222.http: Flags
[.], ack 1, win 256, length 0
08:44:46.347495 IP 212.199.219.222.http > 192.168.11.100.50862: Flags
[F.], seq 1, ack 1, win 229, length 0
08:44:46.347642 IP 192.168.11.100.50862 > 212.199.219.222.http: Flags
[.], ack 2, win 256, length 0
08:44:46.347727 IP 192.168.11.100.50862 > 212.199.219.222.http: Flags
[F.], seq 1, ack 2, win 256, length 0
08:44:46.347740 IP 212.199.219.222.http > 192.168.11.100.50862: Flags
[.], ack 2, win 229, length 0
08:44:46.348712 IP 192.168.11.100.50863 > 212.199.219.222.http: Flags
[S], seq 3247333592, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
08:44:46.348785 IP 212.199.219.222.http > 192.168.11.100.50863: Flags
[S.], seq 1538183763, ack 3247333593, win 29200, options [mss
1460,nop,nop,sackOK,nop,wscale 7], length 0
08:44:46.349139 IP 192.168.11.100.50863 > 212.199.219.222.http: Flags
[.], ack 1, win 256, length 0
08:44:46.349249 IP 212.199.219.222.http > 192.168.11.100.50863: Flags
[F.], seq 1, ack 1, win 229, length 0
08:44:46.349511 IP 192.168.11.100.50863 > 212.199.219.222.http: Flags
[.], ack 2, win 256, length 0
08:44:46.349991 IP 192.168.11.100.50863 > 212.199.219.222.http: Flags
[P.], seq 1:505, ack 2, win 256, length 504
08:44:46.350127 IP 192.168.11.100.50863 > 212.199.219.222.http: Flags
[F.], seq 505, ack 2, win 256, length 0
08:44:46.350153 IP 212.199.219.222.http > 192.168.11.100.50863: Flags
[R], seq 1538183765, win 0, length 0

on the interface to the client.

This is an over all traffic when trying to access the web using the proxy:
# tcpdump -i any -n not port ssh
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535
bytes
08:47:45.905361 IP 192.168.11.100.netbios-dgm >
192.168.11.255.netbios-dgm: NBT UDP PACKET(138)
08:47:47.618274 IP 192.168.11.100.50868 > 212.199.219.222.http: Flags
[S], seq 3853517428, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
08:47:47.618345 IP 212.199.219.222.http > 192.168.11.100.50868: Flags
[S.], seq 2556501289, ack 3853517429, win 29200, options [mss
1460,nop,nop,sackOK,nop,wscale 7], length 0
08:47:47.618552 IP 192.168.11.100.50868 > 212.199.219.222.http: Flags
[.], ack 1, win 256, length 0
08:47:47.618658 IP 212.199.219.222.http > 192.168.11.100.50868: Flags
[F.], seq 1, ack 1, win 229, length 0
08:47:47.618796 IP 192.168.11.100.50868 > 212.199.219.222.http: Flags
[.], ack 2, win 256, length 0
08:47:47.619255 IP 192.168.11.100.50868 > 212.199.219.222.http: Flags
[F.], seq 1, ack 2, win 256, length 0
08:47:47.619276 IP 212.199.219.222.http > 192.168.11.100.50868: Flags
[.], ack 2, win 229, length 0
08:47:47.620982 IP 192.168.11.100.51194 > 192.168.10.254.domain: 25482+
A? www.google.com. (32)
08:47:47.621029 IP 192.168.10.113.51194 > 192.168.10.254.domain: 25482+
A? www.google.com. (32)
08:47:47.655222 ARP, Request who-has 192.168.10.113 tell 192.168.10.254,
length 46
08:47:47.655250 ARP, Reply 192.168.10.113 is-at 08:00:27:71:21:41, length 28
08:47:47.658912 IP 192.168.10.254.domain > 192.168.10.113.51194: 25482
6/0/0 A 173.194.70.103, A 173.194.70.147, A 173.194.70.106, A
173.194.70.104, A 173.194.70.105, A 173.194.70.99 (128)
08:47:47.658950 IP 192.168.10.254.domain > 192.168.11.100.51194: 25482
6/0/0 A 173.194.70.103, A 173.194.70.147, A 173.194.70.106, A
173.194.70.104, A 173.194.70.105, A 173.194.70.99 (128)
08:47:47.660391 IP 192.168.11.100.50869 > 173.194.70.103.http: Flags
[S], seq 446252517, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
08:47:47.660460 IP 173.194.70.103.http > 192.168.11.100.50869: Flags
[S.], seq 3734222194, ack 446252518, win 29200, options [mss
1460,nop,nop,sackOK,nop,wscale 7], length 0
08:47:47.660581 IP 192.168.11.100.50869 > 173.194.70.103.http: Flags
[.], ack 1, win 256, length 0
08:47:47.660688 IP 173.194.70.103.http > 192.168.11.100.50869: Flags
[F.], seq 1, ack 1, win 229, length 0
08:47:47.660822 IP 192.168.11.100.50869 > 173.194.70.103.http: Flags
[.], ack 2, win 256, length 0
08:47:47.660922 IP 192.168.11.100.50869 > 173.194.70.103.http: Flags
[P.], seq 1:505, ack 2, win 256, length 504
08:47:47.661285 IP 192.168.11.100.50869 > 173.194.70.103.http: Flags
[F.], seq 505, ack 2, win 256, length 0
08:47:47.661314 IP 173.194.70.103.http > 192.168.11.100.50869: Flags
[R], seq 3734222196, win 0, length 0

which ends up with a reset response instead of any other option.
why exactly I do not know and do not understand.
I do not know what deubug section to even log for that:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections

Since the basic tproxy level seems to be working fine I am yet to be
sure if there is a problem in the kernel or the related code.
Any light will help.

Eliezer
On 24/02/2014 18:09, Jose-Marcio Martins wrote:
>
> Hello Amos,
>
> I'm trying to configure a transparent proxy as explained on the page you
> wrote :
>
> http://wiki.squid-cache.org/Features/Tproxy4
>
> but it doesn't work. Maybe I'm confused with some config directions I
> see on other pages.
>
> I'm running squid on a fedora 20 box with the squid which comes with it
> : 3.3.11.
>
> Squid runs fine as a cache only (on port 8080), but not as transparent
> proxy on port 3129.
>
> About the doc... you don't talk about "ip_gre" and "gre". Are these
> modules still needed or they are replaced by xt_TPROXY and... ?
>
> Are the following enough ?
Received on Wed Feb 26 2014 - 06:50:58 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 26 2014 - 12:00:06 MST