Search squid archive

Re: Updated CentOS/Squid/Tproxy Transparency steps.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



johan firdianto wrote:
Hold on, I lack compile option connection tracking NAT.
let me compile first.


TPROXY was designed to be usable without NAT.

If you can confirm a dependency please report it to the netfilter and balabit people.

Amos


On Tue, Jul 7, 2009 at 9:15 PM, Ritter,
Nicholas<Nicholas.Ritter@xxxxxxxxxxxxxx> wrote:
Bridging is a completely different beast...I have not done a bridging
solution, so I can't help as much...with bridging I think you don't use
iptables, but the bridging netfilter tables. That is probably the issue.


-----Original Message-----
From: johan firdianto [mailto:johanfirdi@xxxxxxxxx]
Sent: Tuesday, July 07, 2009 1:50 AM
To: Ritter, Nicholas
Cc: Adrian Chadd; Alexandre DeAraujo; squid-users
Subject: Re:  Updated CentOS/Squid/Tproxy Transparency
steps.

Hi Nick,

I already tried your example above, with exception I'm using bridge
with 2 ethernet not wccp.
 but i don't see something in access_log, when I tried to browse some
sites.
But i still could open the sites.

2009/07/07 21:44:17| Reconfiguring Squid Cache (version 3.1.0.9)...
2009/07/07 21:44:17| FD 10 Closing HTTP connection
2009/07/07 21:44:17| FD 13 Closing HTTP connection
2009/07/07 21:44:17| Processing Configuration File:
/usr/local/squid/etc/squid.conf (depth 0)
2009/07/07 21:44:17| Starting IP Spoofing on port [::]:3129
2009/07/07 21:44:17| Disabling Authentication on port [::]:3129 (Ip
spoofing enabled)
2009/07/07 21:44:17| Disabling IPv6 on port [::]:3129 (interception
enabled)
2009/07/07 21:44:17| Initializing https proxy context
2009/07/07 21:44:17| DNS Socket created at [::], FD 10
2009/07/07 21:44:17| Adding domain edgestream.com from /etc/resolv.conf
2009/07/07 21:44:17| Adding nameserver 202.169.224.44 from
/etc/resolv.conf
2009/07/07 21:44:17| Accepting  HTTP connections at [::]:3128, FD 11.
2009/07/07 21:44:17| Accepting  spoofing HTTP connections at
0.0.0.0:3129, FD 13.
2009/07/07 21:44:17| HTCP Disabled.
2009/07/07 21:44:17| Loaded Icons.
2009/07/07 21:44:17| Ready to serve requests.

iptables -t mangle -L -xvn
Chain PREROUTING (policy ACCEPT 9535 packets, 4088554 bytes)
   pkts      bytes target     prot opt in     out     source
    destination
   7326   946003 DIVERT     tcp  --  *      *       0.0.0.0/0
  0.0.0.0/0           socket
   3661   949270 TPROXY     tcp  --  *      *       0.0.0.0/0
  0.0.0.0/0           tcp dpt:80 TPROXY redirect 192.168.1.205:3129
mark 0x1/0x1

Chain INPUT (policy ACCEPT 10693 packets, 1269475 bytes)
   pkts      bytes target     prot opt in     out     source
    destination

Chain FORWARD (policy ACCEPT 13049 packets, 5011079 bytes)
   pkts      bytes target     prot opt in     out     source
    destination

Chain OUTPUT (policy ACCEPT 6481 packets, 2011014 bytes)
   pkts      bytes target     prot opt in     out     source
    destination

Chain POSTROUTING (policy ACCEPT 19530 packets, 7022093 bytes)
   pkts      bytes target     prot opt in     out     source
    destination

Chain DIVERT (1 references)
   pkts      bytes target     prot opt in     out     source
    destination
   7326   946003 MARK       all  --  *      *       0.0.0.0/0
  0.0.0.0/0           MARK xset 0x1/0xffffffff
   7326   946003 ACCEPT     all  --  *      *       0.0.0.0/0
  0.0.0.0/0

ip rule
0:      from all lookup 255
32764:  from all fwmark 0x1 lookup tproxy
32765:  from all fwmark 0x1 lookup tproxy
32766:  from all lookup main
32767:  from all lookup default

ip route show table 100
local default dev lo  scope host





On Thu, Jul 2, 2009 at 11:31 AM, Ritter,
Nicholas<Nicholas.Ritter@xxxxxxxxxxxxxx> wrote:
I have not finished updating the wiki article for the CentOS example,
BTW.
I will do this by tomorrow or possibly tonight yet.

Nick


-----Original Message-----
From: adrian.chadd@xxxxxxxxx [mailto:adrian.chadd@xxxxxxxxx] On Behalf
Of Adrian Chadd
Sent: Wednesday, July 01, 2009 11:10 PM
To: Alexandre DeAraujo
Cc: Ritter, Nicholas; squid-users
Subject: Re:  Updated CentOS/Squid/Tproxy Transparency
steps.
This won't work. You're only redirecting half of the traffic flow with
the wccp web-cache service group. The tproxy code is probably
correctly trying to originate packets -from- the client IP address to
the upstream server but because you're only redirecting half of the
packets (ie, packets from original client to upstream, and not also
the packets from the upstream to the client <- and this is the flow
that needs to be hijacked!) things will "hang".

You need to read the TPROXY2 examples and look at the Cisco/Squid WCCP
setup. There are two service groups configured - 80 and 90 - which
redirect client -> server and server->client respectively. They have
the right bits set in the service group definitions to redirect the
traffic correctly.

The WCCPv2/TPROXY4 pages are hilariously unclear. I ended up having to
find the TPROXY2 pages to extract the "right" WCCPv2 setup to use,
then combine that with the TPROXY4 rules. That is fine for me (I know
a thing or two about this) but it should all be made much, much
clearer for people trying to set this up.

As I suggested earlier, you may wish to consider fleshing out an
interception section in the Wiki complete with explanations about how
all of the various parts of the puzzle hold together.

2c,


adrian

2009/7/2 Alexandre DeAraujo <alexd@xxxxxxx>:
I am giving this one more try, but have been unsuccessful. Any help
is always greatly appreciated.
Here is the setup:
Router:
Cisco 7200 IOS 12.4(25)
ip wccp web-cache redirect-list 11
access-list 11 permits only selective ip addresses to use wccp

Wan interface (Serial)
ip wccp web-cache redirect out

Global WCCP information:
Router information:
Router Identifier:                      192.168.20.1
Protocol Version:                       2.0

Service Identifier: web-cache
Number of Service Group Clients:        1
Number of Service Group Routers:        1
Total Packets s/w Redirected:   8797
Process:                                4723
Fast:                                   0
CEF:                                    4074
Redirect access-list:                   11
Total Packets Denied Redirect:  124925546
Total Packets Unassigned:               924514
Group access-list:                      -none-
Total Messages Denied to Group: 0
Total Authentication failures:          0
Total Bypassed Packets Received:        0

WCCP Client information:
WCCP Client ID: 192.168.20.2
Protocol Version:       2.0
State:                  Usable
Initial Hash Info:      00000000000000000000000000000000
                       00000000000000000000000000000000
Assigned Hash Info:     FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                       FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets s/w Redirected: 306
Connect Time:           00:21:33
Bypassed Packets
Process:                0
Fast:                   0
CEF:                    0
Errors:                 0

Clients are on FEthernet0/1
Squid server is the only device on FEthernet0/3
--------------------------------------------------------------------
Squid Server:
eth0      Link encap:Ethernet  HWaddr 00:14:22:21:A1:7D
         inet addr:192.168.20.2  Bcast:192.168.20.7
Mask:255.255.255.248
         inet6 addr: fe80::214:22ff:fe21:a17d/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:3325 errors:0 dropped:0 overruns:0 frame:0
         TX packets:2606 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:335149 (327.2 KiB)  TX bytes:394943 (385.6 KiB)

gre0      Link encap:UNSPEC  HWaddr
00-00-00-00-CB-BF-F4-FF-00-00-00-00-00-00-00-00
         inet addr:192.168.20.2  Mask:255.255.255.248
         UP RUNNING NOARP  MTU:1476  Metric:1
         RX packets:400 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:31760 (31.0 KiB)  TX bytes:0 (0.0 b)
--------------------------------------------------------------------
/etc/rc.d/rc.local file:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
modprobe ip_gre
ifconfig gre0 192.168.20.2 netmask 255.255.255.248 up
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
--------------------------------------------------------------------
/etc/sysconfig/iptables file:
# Generated by iptables-save v1.4.4 on Wed Jul  1 03:32:55 2009
*mangle
:PREROUTING ACCEPT [166:11172]
:INPUT ACCEPT [164:8718]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [130:12272]
:POSTROUTING ACCEPT [130:12272]
:DIVERT - [0:0]
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128
--on-ip 192.168.20.2 --tproxy-mark 0x1/0x1
COMMIT
# Completed on Wed Jul  1 03:32:55 2009
# Generated by iptables-save v1.4.4 on Wed Jul  1 03:32:55 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [160:15168]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i gre0 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -s 192.168.20.1/32 -p udp -m udp --dport 2048
-j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353
-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
-j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jul  1 03:32:55 2009

---------------------squid.conf------------------------------------
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl testing src 10.10.10.0/24
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8443        # Plesk
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow testing
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
http_port 192.168.20.2:3128 tproxy disable-pmtu-discovery=always
hierarchy_stoplist cgi-bin ?
hosts_file /etc/hosts
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
coredump_dir /var/spool/squid

logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A
%mt
access_log /var/log/squid/access.log squid
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
debug_options ALL,3

cache allow testing
cache deny all
cache_dir ufs /var/spool/squid 200000 256 256
cache_effective_user squid
cache_swap_high 100%
cache_swap_low 80%
cache_mem 2 GB
maximum_object_size  8192 KB
half_closed_clients on
client_db off

wccp2_router 192.168.20.1
wccp_version 2
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0

visible_hostname Server

forwarded_for off
---------------------------------end of
squid.conf-------------------------------------
This is the timeout error when trying to go to www.google.com

ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL:
http://www.google.com/
       Connection to 74.125.45.100 failed.

The system returned: (110) Connection timed out

The remote host or network may be down. Please try the request again.

Generated Wed, 01 Jul 2009 21:41:07 GMT by Server (squid/3.1.0.9)


Thanks for your help,

Alex








--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.9

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux