Search squid archive

FW: Tproxy Help // Transparent works fine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
Sent: Monday, June 15, 2009 9:21 PM
To: Alexandre DeAraujo
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re:  Tproxy Help // Transparent works fine

>Should just be an upgrade Squid to 3.1 release and follow the instructions at:
>http://wiki.squid-cache.org/Features/Tproxy4
>Amos

I downloaded and installed squid-3.1.0.8.tar.gz with the configure build option '--enable-linux-netfilter'. 
Made sure squid.conf was configured with 
http_port 3128
http_port 3129 tproxy

The following modules are enabled on the kernel config file:
NF_CONNTRACK
NETFILTER_TPROXY
NETFILTER_XT_MATCH_SOCKET
NETFILTER_XT_TARGET_TPROXY

After typing the following lines:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

my iptables-save output:
# Generated by iptables-save v1.4.3.2 on Tue Jun 16 16:16:27 2009
*nat
:PREROUTING ACCEPT [33:2501]
:POSTROUTING ACCEPT [1:76]
:OUTPUT ACCEPT [1:76]
-A PREROUTING -i wccp2 -p tcp -j REDIRECT --to-ports 3128 
COMMIT
# Completed on Tue Jun 16 16:16:27 2009
# Generated by iptables-save v1.4.3.2 on Tue Jun 16 16:16:27 2009
*mangle
:PREROUTING ACCEPT [35:2653]
:INPUT ACCEPT [158:8713]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [123:11772]
:POSTROUTING ACCEPT [123:11772]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT 
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff 
-A DIVERT -j ACCEPT 
COMMIT
# Completed on Tue Jun 16 16:16:27 2009

Then I entered the following lines:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_forward

Client could not browse after that. I see the connections coming in with tcpdump, but all connections just timeout

ps. after compiling squid-3.1.0.8, I did a search for 'tproxy' on the console screen and found this line:
checking for linux/netfilter_ipv4/ip_tproxy.h... no
I don’t know if this would have anything to do with it..

Thanks,

Alex
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux