Re: [squid-users] TProxy Setup

Hey There,

You have seem to use the wrong rules in ip route and maybe something else.
I need more for the picture to understand what and how you implemented it.
What I need is the IP and wires topology.
Wccp is not good for you(maybe) but the examples are perfect from any
aspect.
Take a peek at:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2

You can take the relevant rules from the article to correct yours.
basically what you need is:
#!/usr/bin/bash

echo "Loading modules.."
modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre gre

LOCALIP="10.80.2.2"

echo "changing routing and reverse path stuff.."
for i in /proc/sys/net/ipv4/conf/*/rp_filter
do
   echo 0 > $i
done
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "creating routing table for tproxy..."
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo "creating iptables tproxy rules..."
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT

iptables -t mangle -F
iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
##END OF FILE

The route towards the lo is important to enable the tproxy action.
In your settings I have seen that you have used something else which
will probably cause some strange issues.

All The Bests,
Eliezer
On 07/03/2014 03:01 AM, Nyamul Hassan wrote:
> Hi,
>
> We are trying to run Squid 3.4.6 with TProxy. Earlier we used to run
> Squid 2.7.Stable9 in "transparent" mode with a DNAT rule on the router
> box to redirect traffic. This being our first jibe at Squid3, we have
> successfully configured "intercept" mode with the router doing a
> policy-based routing (instead of DNAT). All works quite well!
>
> However, when we try to do a TProxy configuration, Squid does not seem
> to be seeing the traffic at all. Since Squid3 is working in
> "intercept" we assume that is not the problem. IPTables is configured
> as follows:
>
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :DIVERT - [0:0]
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "TProxy: "
> -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
> -A DIVERT -j MARK --set-mark 1
> -A DIVERT -j ACCEPT
> COMMIT
>
> The Log option shows similar lines as follows (our IP omitted below):
> Jul 3 05:15:24 proxy01 kernel: TProxy: IN=eth0 OUT=
> MAC=00:22:4d:a7:9a:8c:00:15:17:c8:a0:39:08:00 SRC=<test>
> DST=195.93.85.193 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=25176 DF
> PROTO=TCP SPT=3264 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
>
> We also tried both with and without the "IP" commands:
>
> ip rule add fwmark 1 lookup 100
> ip route add local default dev eth0 table 100
>
> We have searched through Google, mailing lists, Squid Docs, but seems
> like we are still missing through something. One thing though, a lot
> of the TProxy examples accompany WCCP or Bridge. Are either of them
> mandatory in TProxy setup? If not, could someone help us where we are
> doing things wrong?
>
> Thanks in advance for youguidance.
>
> Regards
> HASSAN
>
Received on Thu Jul 03 2014 - 02:01:03 MDT