On Mon, 21 Sep 2009 06:34:07 +0300, Haralds.Ulmanis@xxxxxxxxxxxxx wrote: > Got working, but ip not spoofed (opened web site to show my actual ip). > > Here is my configuration. > linux (iptables v1.4.3.2, kernel Linux version 2.6.30-gentoo-r4): > > modprobe ip_gre > ip tunnel add wccp2 mode gre remote <cisco wccp routerid> local xx.xx.xx.xx > dev eth0 > ip addr add 127.0.0.2 dev wccp2 > ip link set wccp2 up > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A PREROUTING -i wccp2 -p tcp --dport 80 -j TPROXY > --tproxy-mark 0x1/0x1 --on-port 3129 > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > echo 1 > /proc/sys/net/ipv4/ip_forward > #rp is set to 0 > > squid.conf: > (Squid Cache: Version 3.1.0.13 > configure options: '--prefix=/usr' '--host=x86_64-pc-linux-gnu' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' > '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' > '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid' > '--localstatedir=/var' '--datadir=/usr/share/squid' > '--with-logdir=/var/log/squid' '--with-default-user=squid' > '--enable-auth=basic,digest,negotiate,ntlm' > '--enable-removal-policies=lru,heap' > '--enable-digest-auth-helpers=password' > '--enable-basic-auth-helpers=DB,PAM,LDAP,getpwnam,NCSA,MSNT' > '--enable-external-acl-helpers=ldap_group,ip_user,session,unix_group' > '--enable-ntlm-auth-helpers=fakeauth' '--enable-negotiate-auth-helpers=' > '--enable-useragent-log' '--enable-cache-digests' '--enable-delay-pools' > '--enable-referer-log' '--enable-arp-acl' '--with-large-files' > '--with-filedescriptors=8192' > '--disable-caps' 'caps' is the libcap library required to give Squid TPROXY socket privileges. rebuild squid with that library. The rest looks passable. Amos
