Search squid archive

Re: Updated CentOS/Squid/Tproxy Transparency steps.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hold on, I lack compile option connection tracking NAT.
let me compile first.


On Tue, Jul 7, 2009 at 9:15 PM, Ritter,
Nicholas<Nicholas.Ritter@xxxxxxxxxxxxxx> wrote:
> Bridging is a completely different beast...I have not done a bridging
> solution, so I can't help as much...with bridging I think you don't use
> iptables, but the bridging netfilter tables. That is probably the issue.
>
>
> -----Original Message-----
> From: johan firdianto [mailto:johanfirdi@xxxxxxxxx]
> Sent: Tuesday, July 07, 2009 1:50 AM
> To: Ritter, Nicholas
> Cc: Adrian Chadd; Alexandre DeAraujo; squid-users
> Subject: Re:  Updated CentOS/Squid/Tproxy Transparency
> steps.
>
> Hi Nick,
>
> I already tried your example above, with exception I'm using bridge
> with 2 ethernet not wccp.
>  but i don't see something in access_log, when I tried to browse some
> sites.
> But i still could open the sites.
>
> 2009/07/07 21:44:17| Reconfiguring Squid Cache (version 3.1.0.9)...
> 2009/07/07 21:44:17| FD 10 Closing HTTP connection
> 2009/07/07 21:44:17| FD 13 Closing HTTP connection
> 2009/07/07 21:44:17| Processing Configuration File:
> /usr/local/squid/etc/squid.conf (depth 0)
> 2009/07/07 21:44:17| Starting IP Spoofing on port [::]:3129
> 2009/07/07 21:44:17| Disabling Authentication on port [::]:3129 (Ip
> spoofing enabled)
> 2009/07/07 21:44:17| Disabling IPv6 on port [::]:3129 (interception
> enabled)
> 2009/07/07 21:44:17| Initializing https proxy context
> 2009/07/07 21:44:17| DNS Socket created at [::], FD 10
> 2009/07/07 21:44:17| Adding domain edgestream.com from /etc/resolv.conf
> 2009/07/07 21:44:17| Adding nameserver 202.169.224.44 from
> /etc/resolv.conf
> 2009/07/07 21:44:17| Accepting  HTTP connections at [::]:3128, FD 11.
> 2009/07/07 21:44:17| Accepting  spoofing HTTP connections at
> 0.0.0.0:3129, FD 13.
> 2009/07/07 21:44:17| HTCP Disabled.
> 2009/07/07 21:44:17| Loaded Icons.
> 2009/07/07 21:44:17| Ready to serve requests.
>
> iptables -t mangle -L -xvn
> Chain PREROUTING (policy ACCEPT 9535 packets, 4088554 bytes)
>    pkts      bytes target     prot opt in     out     source
>     destination
>    7326   946003 DIVERT     tcp  --  *      *       0.0.0.0/0
>   0.0.0.0/0           socket
>    3661   949270 TPROXY     tcp  --  *      *       0.0.0.0/0
>   0.0.0.0/0           tcp dpt:80 TPROXY redirect 192.168.1.205:3129
> mark 0x1/0x1
>
> Chain INPUT (policy ACCEPT 10693 packets, 1269475 bytes)
>    pkts      bytes target     prot opt in     out     source
>     destination
>
> Chain FORWARD (policy ACCEPT 13049 packets, 5011079 bytes)
>    pkts      bytes target     prot opt in     out     source
>     destination
>
> Chain OUTPUT (policy ACCEPT 6481 packets, 2011014 bytes)
>    pkts      bytes target     prot opt in     out     source
>     destination
>
> Chain POSTROUTING (policy ACCEPT 19530 packets, 7022093 bytes)
>    pkts      bytes target     prot opt in     out     source
>     destination
>
> Chain DIVERT (1 references)
>    pkts      bytes target     prot opt in     out     source
>     destination
>    7326   946003 MARK       all  --  *      *       0.0.0.0/0
>   0.0.0.0/0           MARK xset 0x1/0xffffffff
>    7326   946003 ACCEPT     all  --  *      *       0.0.0.0/0
>   0.0.0.0/0
>
> ip rule
> 0:      from all lookup 255
> 32764:  from all fwmark 0x1 lookup tproxy
> 32765:  from all fwmark 0x1 lookup tproxy
> 32766:  from all lookup main
> 32767:  from all lookup default
>
> ip route show table 100
> local default dev lo  scope host
>
>
>
>
>
> On Thu, Jul 2, 2009 at 11:31 AM, Ritter,
> Nicholas<Nicholas.Ritter@xxxxxxxxxxxxxx> wrote:
>> I have not finished updating the wiki article for the CentOS example,
> BTW.
>>
>> I will do this by tomorrow or possibly tonight yet.
>>
>> Nick
>>
>>
>> -----Original Message-----
>> From: adrian.chadd@xxxxxxxxx [mailto:adrian.chadd@xxxxxxxxx] On Behalf
> Of Adrian Chadd
>> Sent: Wednesday, July 01, 2009 11:10 PM
>> To: Alexandre DeAraujo
>> Cc: Ritter, Nicholas; squid-users
>> Subject: Re:  Updated CentOS/Squid/Tproxy Transparency
> steps.
>>
>> This won't work. You're only redirecting half of the traffic flow with
>> the wccp web-cache service group. The tproxy code is probably
>> correctly trying to originate packets -from- the client IP address to
>> the upstream server but because you're only redirecting half of the
>> packets (ie, packets from original client to upstream, and not also
>> the packets from the upstream to the client <- and this is the flow
>> that needs to be hijacked!) things will "hang".
>>
>> You need to read the TPROXY2 examples and look at the Cisco/Squid WCCP
>> setup. There are two service groups configured - 80 and 90 - which
>> redirect client -> server and server->client respectively. They have
>> the right bits set in the service group definitions to redirect the
>> traffic correctly.
>>
>> The WCCPv2/TPROXY4 pages are hilariously unclear. I ended up having to
>> find the TPROXY2 pages to extract the "right" WCCPv2 setup to use,
>> then combine that with the TPROXY4 rules. That is fine for me (I know
>> a thing or two about this) but it should all be made much, much
>> clearer for people trying to set this up.
>>
>> As I suggested earlier, you may wish to consider fleshing out an
>> interception section in the Wiki complete with explanations about how
>> all of the various parts of the puzzle hold together.
>>
>> 2c,
>>
>>
>> adrian
>>
>> 2009/7/2 Alexandre DeAraujo <alexd@xxxxxxx>:
>>> I am giving this one more try, but have been unsuccessful. Any help
> is always greatly appreciated.
>>>
>>> Here is the setup:
>>> Router:
>>> Cisco 7200 IOS 12.4(25)
>>> ip wccp web-cache redirect-list 11
>>> access-list 11 permits only selective ip addresses to use wccp
>>>
>>> Wan interface (Serial)
>>> ip wccp web-cache redirect out
>>>
>>> Global WCCP information:
>>> Router information:
>>> Router Identifier:                      192.168.20.1
>>> Protocol Version:                       2.0
>>>
>>> Service Identifier: web-cache
>>> Number of Service Group Clients:        1
>>> Number of Service Group Routers:        1
>>> Total Packets s/w Redirected:   8797
>>> Process:                                4723
>>> Fast:                                   0
>>> CEF:                                    4074
>>> Redirect access-list:                   11
>>> Total Packets Denied Redirect:  124925546
>>> Total Packets Unassigned:               924514
>>> Group access-list:                      -none-
>>> Total Messages Denied to Group: 0
>>> Total Authentication failures:          0
>>> Total Bypassed Packets Received:        0
>>>
>>> WCCP Client information:
>>> WCCP Client ID: 192.168.20.2
>>> Protocol Version:       2.0
>>> State:                  Usable
>>> Initial Hash Info:      00000000000000000000000000000000
>>>                        00000000000000000000000000000000
>>> Assigned Hash Info:     FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>                        FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>> Hash Allotment: 256 (100.00%)
>>> Packets s/w Redirected: 306
>>> Connect Time:           00:21:33
>>> Bypassed Packets
>>> Process:                0
>>> Fast:                   0
>>> CEF:                    0
>>> Errors:                 0
>>>
>>> Clients are on FEthernet0/1
>>> Squid server is the only device on FEthernet0/3
>>> --------------------------------------------------------------------
>>> Squid Server:
>>> eth0      Link encap:Ethernet  HWaddr 00:14:22:21:A1:7D
>>>          inet addr:192.168.20.2  Bcast:192.168.20.7
> Mask:255.255.255.248
>>>          inet6 addr: fe80::214:22ff:fe21:a17d/64 Scope:Link
>>>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>          RX packets:3325 errors:0 dropped:0 overruns:0 frame:0
>>>          TX packets:2606 errors:0 dropped:0 overruns:0 carrier:0
>>>          collisions:0 txqueuelen:1000
>>>          RX bytes:335149 (327.2 KiB)  TX bytes:394943 (385.6 KiB)
>>>
>>> gre0      Link encap:UNSPEC  HWaddr
> 00-00-00-00-CB-BF-F4-FF-00-00-00-00-00-00-00-00
>>>          inet addr:192.168.20.2  Mask:255.255.255.248
>>>          UP RUNNING NOARP  MTU:1476  Metric:1
>>>          RX packets:400 errors:0 dropped:0 overruns:0 frame:0
>>>          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>          collisions:0 txqueuelen:0
>>>          RX bytes:31760 (31.0 KiB)  TX bytes:0 (0.0 b)
>>> --------------------------------------------------------------------
>>> /etc/rc.d/rc.local file:
>>> ip rule add fwmark 1 lookup 100
>>> ip route add local 0.0.0.0/0 dev lo table 100
>>> modprobe ip_gre
>>> ifconfig gre0 192.168.20.2 netmask 255.255.255.248 up
>>> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
>>> --------------------------------------------------------------------
>>> /etc/sysconfig/iptables file:
>>> # Generated by iptables-save v1.4.4 on Wed Jul  1 03:32:55 2009
>>> *mangle
>>> :PREROUTING ACCEPT [166:11172]
>>> :INPUT ACCEPT [164:8718]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [130:12272]
>>> :POSTROUTING ACCEPT [130:12272]
>>> :DIVERT - [0:0]
>>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>>> -A DIVERT -j ACCEPT
>>> -A PREROUTING -p tcp -m socket -j DIVERT
>>> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128
> --on-ip 192.168.20.2 --tproxy-mark 0x1/0x1
>>> COMMIT
>>> # Completed on Wed Jul  1 03:32:55 2009
>>> # Generated by iptables-save v1.4.4 on Wed Jul  1 03:32:55 2009
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [160:15168]
>>> :RH-Firewall-1-INPUT - [0:0]
>>> -A INPUT -i gre0 -j ACCEPT
>>> -A INPUT -p gre -j ACCEPT
>>> -A INPUT -i eth0 -p gre -j ACCEPT
>>> -A INPUT -j RH-Firewall-1-INPUT
>>> -A FORWARD -j RH-Firewall-1-INPUT
>>> -A RH-Firewall-1-INPUT -s 192.168.20.1/32 -p udp -m udp --dport 2048
> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
>>> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353
> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>> COMMIT
>>> # Completed on Wed Jul  1 03:32:55 2009
>>>
>>> ---------------------squid.conf------------------------------------
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32
>>> acl to_localhost dst 127.0.0.0/8
>>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl testing src 10.10.10.0/24
>>> acl SSL_ports port 443
>>> acl SSL_ports port 8443
>>> acl Safe_ports port 80          # http
>>> acl Safe_ports port 21          # ftp
>>> acl Safe_ports port 443         # https
>>> acl Safe_ports port 70          # gopher
>>> acl Safe_ports port 210         # wais
>>> acl Safe_ports port 1025-65535  # unregistered ports
>>> acl Safe_ports port 280         # http-mgmt
>>> acl Safe_ports port 488         # gss-http
>>> acl Safe_ports port 591         # filemaker
>>> acl Safe_ports port 777         # multiling http
>>> acl Safe_ports port 8443        # Plesk
>>> acl CONNECT method CONNECT
>>> http_access allow manager localhost
>>> http_access allow testing
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localnet
>>> http_access deny all
>>> http_port 192.168.20.2:3128 tproxy disable-pmtu-discovery=always
>>> hierarchy_stoplist cgi-bin ?
>>> hosts_file /etc/hosts
>>> refresh_pattern ^ftp:           1440    20%     10080
>>> refresh_pattern ^gopher:        1440    0%      1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>>> refresh_pattern .               0       20%     4320
>>> coredump_dir /var/spool/squid
>>>
>>> logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A
> %mt
>>> access_log /var/log/squid/access.log squid
>>> cache_access_log /var/log/squid/access.log
>>> cache_log /var/log/squid/cache.log
>>> cache_store_log /var/log/squid/store.log
>>> debug_options ALL,3
>>>
>>> cache allow testing
>>> cache deny all
>>> cache_dir ufs /var/spool/squid 200000 256 256
>>> cache_effective_user squid
>>> cache_swap_high 100%
>>> cache_swap_low 80%
>>> cache_mem 2 GB
>>> maximum_object_size  8192 KB
>>> half_closed_clients on
>>> client_db off
>>>
>>> wccp2_router 192.168.20.1
>>> wccp_version 2
>>> wccp2_rebuild_wait on
>>> wccp2_forwarding_method 1
>>> wccp2_return_method 1
>>> wccp2_assignment_method 1
>>> wccp2_service standard 0
>>>
>>> visible_hostname Server
>>>
>>> forwarded_for off
>>> ---------------------------------end of
> squid.conf-------------------------------------
>>> This is the timeout error when trying to go to www.google.com
>>>
>>> ERROR
>>> The requested URL could not be retrieved
>>>
>>> The following error was encountered while trying to retrieve the URL:
> http://www.google.com/
>>>
>>>        Connection to 74.125.45.100 failed.
>>>
>>> The system returned: (110) Connection timed out
>>>
>>> The remote host or network may be down. Please try the request again.
>>>
>>> Generated Wed, 01 Jul 2009 21:41:07 GMT by Server (squid/3.1.0.9)
>>>
>>>
>>> Thanks for your help,
>>>
>>> Alex
>>>
>>>
>>>
>>>
>>
>>
>
>

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux