> Listed below are the beginnings of steps I have. They are not complete, > I left out some steps which I will add and repost. Please let me know if > you have questions/troubles with the steps. I have not fully checked the > steps for clarity and accuracy...but I eventually will. > > These steps are for setting squid3HEAD with TProxy, IP spoofing and > Cisco WCCP. This is not a bridging setup. > > Also, there is a patch for squid that I have applied which I have not > noted in the steps, but I want to talk to them about it's commit status > before putting it in the steps. ''them'' being me, or Balabit? > > Nick > Thank you. Wikified at: http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS I've also sub-titled to show the goalposts clearly. Now for the testing out and amendments... > > 1) Install CentOS 5.2 > a.) be sure not to install squid via the OS installer > b.) install the development libraries and tools, as well as the > legacy software development > 2) Once the install completes and you have booted into the OS, run: yum > update (and apply all updates.) > 3) Once the yum command completes, reboot > 4) Download iptables-1.4.0 from netfilter.org. Be sure to NOT download a > later version of iptables 1.4 (such as 1.4.1 or 1.4.1.1) > 5) Download kernel 2.6.25.11 from kernel mirror > 6) Download squid3HEAD (squid 3.1 source code). > 7) Download tproxy patch for iptables from balabit. Be sure to get the > correct patch, should be: > tproxy-iptables-1.4.0-20080521-113954-1211362794.patch > a.) note, that so long as the tproxy-iptables-1.4.0 part of the > patch name is the same as the iptables version, it is the correct patch. > 8) Download tproxy patch for kernel from Balabit. Be sure to get the > correct patch, should be: > tproxy-kernel-2.6.25-20080519-165031-1211208631 > a.) note, that so long as the tproxy-kernel-2.6.25 part of the > patch name is the same as the kernel, it is the correct patch. > b.) decompress the archive, which will create a directory with > the patches in it. > 9) decompress the kernel source to /usr/src/linux-2.6.25 > 10) ln -s /usr/src/linux-2.6.25 /usr/src/linux > 11) cd /usr/src/linux > 12) patch the kernel source with the tproxy patches as stated in the > README, should be something like: > cat <path_to_tproxy_kernel_patches>/00*.patch | patch -p1 > 13) configure the kernel, enabling the tproxy support as noted in the > TProxy README. > 14) compile, install, and reboot into the new kernel > 15) Next, patch configure, compile and install iptables. This is done > with the thought in mind to correctly overwrite the existing iptables > setup so that the current service init script that ships with CentOS 5.2 > can be used. To do this, decompress the iptables 1.4.0 source code, and > cd to that directory. The follow the steps noted: > a.) Patch the iptables source with the TProxy patch as noted in > the TPRoxy README: > cat <path_to_tproxy>/00*.patch | patch -p1 > b.) then run the following config line to configure the Makefile > for iptables: > make BINDDIR=/sbin LIBDIR=/lib64 > KERNEL_DIR=/usr/src/linux > d.) check that TPROXY was built: ls extensions/libxt_TPROXY* > c.) then install: > make BINDDIR=/sbin LIBDIR=/lib64 > KERNEL_DIR=/usr/src/linux install > > 16) Next check iptables versioning to make sure it installed properly in > the right path: > a) "iptables -v" should show: > > iptables v1.4.0: no command specified > Try `iptables -h' or 'iptables --help' for more > information. > > If it doesn't show this, but v1.3.5 instead, then I wrote the > step 15 above from memory incorrectly, and the paths need to be > adjusted. > > 17) Do a "service iptables status" and see if iptables is running, > stopped, or has a > "RH-Firewall-1-INPUT" chain. If it stopped altogether, do a "service > iptables start" and make sure that it starts and stays running. > > 18) Is the following iptables commands to enable TPROXY functionality in > the running iptables instance: > > iptables -t mangle -N DIVERT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY > --tproxy-mark 0x1/0xffffffff > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY > --tproxy-mark 0x1/0x1 --on-port 3128 > > Note: if any of the above commands fails, there is something wrong with > iptables update to 1.4.0 and/or tproxy module status in iptables 1.4.0. > Keep in mind that the commands are sensitive to case, spacing, and > hyphenation. > > 19) WCCP related iptables rules need to be created next...this and > further steps are only needed if L4 WCCPv2 is used with a router, and > not L2 WCCP with a switch. > > iptables -A INPUT -i gre0 -j ACCEPT > iptables -A INPUT -i gre0 -j ACCEPT > iptables -A INPUT -p gre -j ACCEPT > > 20) For the WCCP udp traffic that is not in a gre tunnel: > > -A RH-Firewall-1-INPUT -s 10.48.33.2/32 -p udp -m udp --dport 2048 -j > ACCEPT > > NOTE: with steps 17 through 19, you my find that you have no firewall > rules at all. In this case you will need to create an input chain to add > some of the rules to. I created a chain called "LocalFW" and added the > rule in step 20 to that chain. The rules in step 18 and 19 stay as they > are. To do this, learn iptables...or something *LIKE* what is listed > below: > > iptables -t filter -NLocalFW > iptables -A FORWARD -j LocalFW > iptables -A INPUT -j LocalFW > iptables -A LocalFW -i lo -j ACCEPT > iptables -A LocalFW -p icmp -m icmp --icmp-type any -j ACCEPT > > 21) Next, build squid3HEAD source as noted in the squid readme and > tproxy readme, enabling netfilter with -enable-linux-netfilter > (--enable-linux-tproxy was phased out because tproxy is being more > tightly integrated with iptables/netfilter and squid) > > 22) configure squid as noted in the squid and tproxy readmes. >
