Listed below are the beginnings of steps I have. They are not complete, I left out some steps which I will add and repost. Please let me know if you have questions/troubles with the steps. I have not fully checked the steps for clarity and accuracy...but I eventually will. These steps are for setting squid3HEAD with TProxy, IP spoofing and Cisco WCCP. This is not a bridging setup. Also, there is a patch for squid that I have applied which I have not noted in the steps, but I want to talk to them about it's commit status before putting it in the steps. Nick 1) Install CentOS 5.2 a.) be sure not to install squid via the OS installer b.) install the development libraries and tools, as well as the legacy software development 2) Once the install completes and you have booted into the OS, run: yum update (and apply all updates.) 3) Once the yum command completes, reboot 4) Download iptables-1.4.0 from netfilter.org. Be sure to NOT download a later version of iptables 1.4 (such as 1.4.1 or 1.4.1.1) 5) Download kernel 2.6.25.11 from kernel mirror 6) Download squid3HEAD (squid 3.1 source code). 7) Download tproxy patch for iptables from balabit. Be sure to get the correct patch, should be: tproxy-iptables-1.4.0-20080521-113954-1211362794.patch a.) note, that so long as the tproxy-iptables-1.4.0 part of the patch name is the same as the iptables version, it is the correct patch. 8) Download tproxy patch for kernel from Balabit. Be sure to get the correct patch, should be: tproxy-kernel-2.6.25-20080519-165031-1211208631 a.) note, that so long as the tproxy-kernel-2.6.25 part of the patch name is the same as the kernel, it is the correct patch. b.) decompress the archive, which will create a directory with the patches in it. 9) decompress the kernel source to /usr/src/linux-2.6.25 10) ln -s /usr/src/linux-2.6.25 /usr/src/linux 11) cd /usr/src/linux 12) patch the kernel source with the tproxy patches as stated in the README, should be something like: cat <path_to_tproxy_kernel_patches>/00*.patch | patch -p1 13) configure the kernel, enabling the tproxy support as noted in the TProxy README. 14) compile, install, and reboot into the new kernel 15) Next, patch configure, compile and install iptables. This is done with the thought in mind to correctly overwrite the existing iptables setup so that the current service init script that ships with CentOS 5.2 can be used. To do this, decompress the iptables 1.4.0 source code, and cd to that directory. The follow the steps noted: a.) Patch the iptables source with the TProxy patch as noted in the TPRoxy README: cat <path_to_tproxy>/00*.patch | patch -p1 b.) then run the following config line to configure the Makefile for iptables: make BINDDIR=/sbin LIBDIR=/lib64 KERNEL_DIR=/usr/src/linux d.) check that TPROXY was built: ls extensions/libxt_TPROXY* c.) then install: make BINDDIR=/sbin LIBDIR=/lib64 KERNEL_DIR=/usr/src/linux install 16) Next check iptables versioning to make sure it installed properly in the right path: a) "iptables -v" should show: iptables v1.4.0: no command specified Try `iptables -h' or 'iptables --help' for more information. If it doesn't show this, but v1.3.5 instead, then I wrote the step 15 above from memory incorrectly, and the paths need to be adjusted. 17) Do a "service iptables status" and see if iptables is running, stopped, or has a "RH-Firewall-1-INPUT" chain. If it stopped altogether, do a "service iptables start" and make sure that it starts and stays running. 18) Is the following iptables commands to enable TPROXY functionality in the running iptables instance: iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0xffffffff iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128 Note: if any of the above commands fails, there is something wrong with iptables update to 1.4.0 and/or tproxy module status in iptables 1.4.0. Keep in mind that the commands are sensitive to case, spacing, and hyphenation. 19) WCCP related iptables rules need to be created next...this and further steps are only needed if L4 WCCPv2 is used with a router, and not L2 WCCP with a switch. iptables -A INPUT -i gre0 -j ACCEPT iptables -A INPUT -i gre0 -j ACCEPT iptables -A INPUT -p gre -j ACCEPT 20) For the WCCP udp traffic that is not in a gre tunnel: -A RH-Firewall-1-INPUT -s 10.48.33.2/32 -p udp -m udp --dport 2048 -j ACCEPT NOTE: with steps 17 through 19, you my find that you have no firewall rules at all. In this case you will need to create an input chain to add some of the rules to. I created a chain called "LocalFW" and added the rule in step 20 to that chain. The rules in step 18 and 19 stay as they are. To do this, learn iptables...or something *LIKE* what is listed below: iptables -t filter -NLocalFW iptables -A FORWARD -j LocalFW iptables -A INPUT -j LocalFW iptables -A LocalFW -i lo -j ACCEPT iptables -A LocalFW -p icmp -m icmp --icmp-type any -j ACCEPT 21) Next, build squid3HEAD source as noted in the squid readme and tproxy readme, enabling netfilter with -enable-linux-netfilter (--enable-linux-tproxy was phased out because tproxy is being more tightly integrated with iptables/netfilter and squid) 22) configure squid as noted in the squid and tproxy readmes.
