Another thing maybe helpful when i enable http_port 3128 intercept in squid.conf , following message appears in cache.log cache squid[14701]: IpIntercept.cc(132) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 24: (11) Resource temporarily unavailable Omid Kosari wrote: > > I have Ubuntu 9.04 (Jaunty) but also squid->client spoofing does not work > . it shows squid's ip in tproxy mode . > > dmesg shows > [ 21.186636] ip_tables: (C) 2000-2006 Netfilter Core Team > [ 21.319881] NF_TPROXY: Transparent proxy support initialized, version > 4.1.0 > [ 21.319884] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. > > and squid.conf has > > http_port 3128 > http_port 3129 tproxy > > i have compiled squid with these settings > ./configure --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3 > --mandir=/usr/share/man --localstatedir=/var --with-logdir=/var/log/squid > --prefix=/usr --enable-inline --enable-async-io=8 > --enable-storeio="ufs,aufs" --enable-removal-policies="lru,heap" > --enable-delay-pools --enable-cache-digests --enable-underscores > --enable-icap-client --enable-follow-x-forwarded-for > --with-filedescriptors=65536 --with-default-user=proxy > --enable-large-files --enable-linux-netfilter > and squid is 3.1.0.7 > > the debug_options ALL,1 89,6 output is like when we have not debug_options > at all !! > > i had tproxy with my custom kernels but upgraded to Ubuntu 9.04 (Jaunty) > to prevent custom compiling of kernel and iptables but it does not work > > > > Amos Jeffries-2 wrote: >> >> rihad wrote: >>> Looks like I'm the only one trying to use TProxy? Somebody else, please? >>> To summarize: Squid does NOT spoof client's IP address when initiating >>> connections on its own. Just as if there weren't a thing named "TProxy". >> >> We have had a fair few trying it with complete success when its the only >> thing used. This kind of thing seems to crop up with WCCP, for you and >> one other. >> >> I'm not sure yet what the problem seems to be. Can you check your >> cache.log for messages about "Stopping full transparency", the rest of >> the message says why. I've updated the wiki troubleshooting section to >> list the messages that appear when tproxy is turned off automatically >> and what needs to be done to fix it. >> >> If you can't see any of those please can you set: >> debug_options ALL,1 89,6 >> >> to see whats going on? >> >> I know the squid->client link should be 100% spoofed. I'm not fully >> certain the quid->server link is actually spoofed in all cases. Though >> one report indicates it may be, I have not been able to test it locally >> yet. >> >> >> Amos >> >> >>> >>> Original message follows (not to be confused with top-posting): >>> >>>> Hello, I'm trying to get TProxy 4.1 to work as outlined here: >>>> http://wiki.squid-cache.org/Features/Tproxy4 >>>> namely under Ubuntu 9.04 stable/testing mix with the following: >>>> linux-image-2.6.28-11-server 2.6.28-11.42 >>>> iptables 1.4.3.2-2ubuntu1 >>>> squid-3.1.0.7.tar.bz2 from original sources >>>> >>>> Squid has been built this way: >>>> $ /usr/local/squid/sbin/squid -v >>>> Squid Cache: Version 3.1.0.7 >>>> configure options: '--enable-linux-netfilter' >>>> --with-squid=/home/guessed/squid-3.1.0.7 --enable-ltdl-convenience >>>> (myself I only gave it --enable-linux-netfilter) >>>> >>>> squid.conf is pretty much whatever 'make install' created, with my >>>> changes given at the end, after the blank line: >>>> >>>> acl manager proto cache_object >>>> acl localhost src 127.0.0.1/32 >>>> acl to_localhost dst 127.0.0.0/8 >>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >>>> acl SSL_ports port 443 >>>> acl Safe_ports port 80 # http >>>> acl Safe_ports port 21 # ftp >>>> acl Safe_ports port 443 # https >>>> acl Safe_ports port 70 # gopher >>>> acl Safe_ports port 210 # wais >>>> acl Safe_ports port 1025-65535 # unregistered ports >>>> acl Safe_ports port 280 # http-mgmt >>>> acl Safe_ports port 488 # gss-http >>>> acl Safe_ports port 591 # filemaker >>>> acl Safe_ports port 777 # multiling http >>>> acl CONNECT method CONNECT >>>> http_access allow manager localhost >>>> http_access deny manager >>>> http_access deny !Safe_ports >>>> http_access deny CONNECT !SSL_ports >>>> http_access allow localnet >>>> http_access deny all >>>> http_port 3128 >>>> hierarchy_stoplist cgi-bin ? >>>> refresh_pattern ^ftp: 1440 20% 10080 >>>> refresh_pattern ^gopher: 1440 0% 1440 >>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >>>> refresh_pattern . 0 20% 4320 >>>> coredump_dir /usr/local/squid/var/cache >>>> >>>> cache_dir ufs /usr/local/squid/var/cache 100 16 256 >>>> cache_mem 16 MB >>>> http_port 3129 tproxy >>>> visible_hostname tproxy >>>> >>>> Then I did: >>>> iptables -t mangle -N DIVERT >>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>>> iptables -t mangle -A DIVERT -j ACCEPT >>>> >>>> #Use DIVERT to prevent existing connections going through TPROXY twice: >>>> >>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>>> >>>> #Mark all other (new) packets and use TPROXY to pass into Squid: >>>> >>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >>>> --tproxy-mark 0x1/0x1 --on-port 3129 >>>> >>>> >>>> ip rule add fwmark 1 lookup 100 >>>> ip route add local 0.0.0.0/0 dev lo table 100 >>>> >>>> #On each boot startup set: >>>> >>>> echo 1 > /proc/sys/net/ipv4/ip_forward >>>> >>>> ran squid -z and launched squid. >>>> >>>> My topology: >>>> desktop where I sit: one link has address 192.168.0.1/24, the other to >>>> the Internet >>>> Squid box: one link: 192.168.0.184/24 (bridged VMware interface on the >>>> same box as desktop), the other link is custom VMware interface >>>> 192.168.1.1/24 >>>> The "client" box: single interface 192.168.1.2/24 >>>> >>>> So, the squid box is directly connected to the outside on the one side, >>>> and to the client on the other. My desktop's routing knows to reach the >>>> client through the Squid box, and vice versa, so the port 80 traffic >>>> under consideration flows through the Squid box in both ways. >>>> >>>> Now, after I do this on the "client": >>>> $ telnet 192.168.0.1 80 >>>> GET / HTTP/1.0 >>>> >>>> (correct webpage output) >>>> Connection closed by foreign host. >>>> >>>> Nevertheless, in 192.168.0.1's webserver's logs I can see 192.168.0.184 >>>> connecting, not the TProxied 192.168.1.2, as if working under the plain >>>> ole interception proxying I've been trying to get rid of! >>>> >>>> Why?! Counters on the Squid box do get bumped: >>>> >>>> $ sudo iptables -t mangle -L -v -n >>>> Chain PREROUTING (policy ACCEPT 163 packets, 21851 bytes) >>>> pkts bytes target prot opt in out source >>>> destination >>>> 2274 214K DIVERT tcp -- * * 0.0.0.0/0 >>>> 0.0.0.0/0 socket >>>> 16 920 TPROXY tcp -- * * 0.0.0.0/0 >>>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark >>>> 0x1/0x1 >>>> >>>> ... >>>> >>>> Chain DIVERT (1 references) >>>> pkts bytes target prot opt in out source >>>> destination >>>> 2274 214K MARK all -- * * 0.0.0.0/0 >>>> 0.0.0.0/0 MARK xset 0x1/0xffffffff >>>> 2274 214K ACCEPT all -- * * 0.0.0.0/0 >>>> 0.0.0.0/0 >>>> >>>> >>>> Thanks for any tips. >>>> >>>> >>>> >>>> >>> >> >> >> -- >> Please be using >> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 >> Current Beta Squid 3.1.0.7 >> >> > > -- View this message in context: http://www.nabble.com/TProxy-not-faking-source-address.-tp23544464p23586637.html Sent from the Squid - Users mailing list archive at Nabble.com.
