Search squid archive

Re: FW: Re[2]: squid with tproxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



7441122 wrote:
I have gone through http://wiki.squid-cache.org/Features/Tproxy4 done
all as required.

initially we had squid as gateway, but now i want to use wccp, is
tehre any how to on this one ?

Not specifically for the new TPROXY. I've been watching for one. People who are familiar with WCCP seem not to have any trouble using the old wiki examples with new TPROXY. People who are not such experts seem not to be able to get it going no matter what they try.
The old stuff is at http://wiki.squid-cache.org/ConfigExamples/Intercept

If you (or anyone) know about WCCP and TPROXY and want to experiment and find out what the issues are. Please go ahead and feedback ANY differences you find no matter how small, good or bad.

Amos


many thanks.



On Thu, May 28, 2009 at 4:13 AM,  <squid3@xxxxxxxxxxxxx> wrote:
On Wed, 27 May 2009 12:06:25 -0500, "Ritter, Nicholas"
<Nicholas.Ritter@xxxxxxxxxxxxxx> wrote:
________________________________________
From: Ritter, Nicholas
Sent: Wednesday, May 27, 2009 12:04 PM
To: 'Manish P. Govindji'
Subject: RE: Re[2]: squid with tproxy

I remember something important....if you are using a more recent version
of
TPROXY then what is stated in the squid wiki article....I think the
method
by which TPROXY is configured in iptables changed a bit to make it more
to
the liking of the netfilter and kernel developers in an effort to get the
TPROXY code included into the netfilter and kernel release code.

My setup and the wiki article I wrote are from before these changes, and
I
have not worked with TPROXY since, so that could be the issue here. I
have
not downloaded the latest TPROXY code to be sure though. And I think I
might have actually seen TPROXY as included in the most recent (ie:
2.6.29)
kernel as experimental.
Yes TPROXYv4 is now available in a public release of all involved
softwares.
The kernel code changed somewhat during their formal merge, and squid code
had to change a lot to accommodate the fixes. So Squid may not work
properly with the Balabit patches for older kernels.

The TPROXYv4 features page contains the minimum versions of kernel,
iptables, libcap, and Squid needed for this to work.
http://wiki.squid-cache.org/Features/Tproxy4

Amos

I have been meaning to setup a new squid/tproxy system, and update the
wiki
article...just have not gotten to it yet. I suggest taking a look at the
readme with the latest tproxy source code, or even looking at your kernel
config to see which tproxy version is being used. If you do a dmesg
command
and look for the TProxy module loading, I think it tells you what version
it is.

Nick

________________________________________
From: Manish P. Govindji [mailto:manish@xxxxxxxxx]
Sent: Wednesday, May 27, 2009 11:43 AM
To: Ritter, Nicholas
Cc: squid-users
Subject: Re[2]: squid with tproxy


Thanks a lot for reply, i am already tired pulling my hairs for this one.

Sorry, typo its 3128.

I do not have the file, /etc/sysconfig/iptables I use iptables in
rc.local
#####################

#Increase Squid file Descriptors
ulimit -HSn 30720

#Start caches
/usr/sbin/squid

#Enable Forwarding
echo '1' > /proc/sys/net/ipv4/ip_forward

#disable rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark
0x1/0x1 --on-port 3129

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

# defe! nces
iptables -A FORWARD -p tcp --syn -m limit -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit

#Allow established sessions to continue
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


########################

I am using squid as gateway, all the pc are on public IP and Squid is
also
on public IP as Gateway PC. ( was working as transparent cache, but
wanted
to use the Tproxy )

Rgds,

________________________________________
-----Original Message-----
From: "Ritter, Nicholas" <Nicholas.Ritter@xxxxxxxxxxxxxx>
To: "Manish govindji" <manish@xxxxxxxxx>
Cc: "squid-users" <squid-users@xxxxxxxxxxxxxxx>
Date: 27-05-2009 18:47
Subject: RE: squid with tproxy
Port 3128, or 1328? The default port is 3128, but is configurable.


Your rules are not right...you are marking, as you should, but not
redirecting to the squid port. In addition to sending the output of the
raw
iptables command, send the contents of /etc/sysconfig/iptables.

I think the problem is partly in the rules setup. Are you using wccp as
well, and/or a gre interface?

Also, make sure you have Full NAT enabled in the kernel. Looks like that
is
ok though.


________________________________________
From:Manish govindji [mailto:manish@xxxxxxxxx]
Sent: Wednesday, May 27, 2009 6:06 AM
To: Nicholas.Ritter@xxxxxxxxxxxxxx
Subject: squid with tproxy

Hello Nicholas,

I have been trying to compile squid with tproxy but am failing, have
searched all over google but nothing of help.

I have centos 5.3, installed custom kernel 2.6.28, and iptables 1.4.3,
squid 3.1

In compiling the custom kernel, i copied the old config and added the
below
:-

NF_CONNTRACK
NETFILTER_TPROXY
NETFILTER_XT_MATCH_SOCKET
NETFILTER_XT_TARGET_TPROXY

When i do iptables stat :-

[root@gateway ~]# iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 5768K packets, 1538M bytes)
 pkts bytes target     prot opt in     out
source               destination

Chain INPUT (policy ACCEPT 1494K packets, 892M bytes)
 pkts bytes target     prot opt in     out
source               destination

Chain FORWARD (policy ACCEPT 4234K packets, 638M bytes)
 pkts bytes target     prot opt in     out
source               destination

Chain OUTPUT (policy ACCEPT 2398K packets, 1027M bytes)
 pkts bytes target     prot opt in     out
source               destination

Chain POSTROUTING (policy ACCEPT 6632K packets, 1665M bytes)
 pkts bytes target     prot opt in     out
source               destination

Chain DIVERT (0 references)
 pkts bytes target     prot opt in     out
source               destination
    0     0 MARK       all  --  *      *
0.0.0.0/0            0.0.0.0/0           MARK xor 0x1
    0     0 ACCEPT     all  --  *      *
0.0.0.0/0            0.0.0.0/0

The packets do not get to squid, on port 1328, even if i kill squid pc
can
still browse.

Can you help ? if i am missing a step of something is not right, have
followed the latest steps in wiki.


Rgds,

Manish.





$=========================$
Manish P. Govindji.
Modern Computer Centre Ltd.
P. O. Box 4225, Zanzibar, Tanzania.
tel: +255.24.2235928 / 9, fax: +255.24.2230343
manish@xxxxxxxxx
................................
"Every man dies. Not every man lives."


--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
  Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux