Search squid archive

Re: Tproxy4+squid: ebtables wiki

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Irvan Adrian K wrote:
So, What the solution for these threads ? because i'm in the same trouble to make TPROXY4 work in UBUNTU 9.10 Server


Explicit "Server" release or normal? I have recently found that the kernel for normal Ubuntu is missing some routing features needed on a end box pretending to be a server.

I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 2.0.9, and until now, following the manual in http://wiki.squid-cache.org, like this :

ebtables -t broute -I BROUTING  -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
redirect --redirect-target DROP

cd /proc/sys/net/bridge/
for i in *
do
 echo 0 > $i
done
unset i

echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables are:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

squid configuration is default, except
acl allow all

After following like above, the iptables counter was increasing redirecting to TPROXY, but there was nothing
in the squid, i can't open anything..

But if i change the ebtables --redirect-target ACCEPT, the connection running, but the packet just bridged nothing came to Squid, just like nothing on there..

Yes. That is why they are "DROP". In BROUTING it means something like; DROP off the bridge into the routing code, vs ACCEPT over the bridge.


There some one can give the clue, thanks in advance..

R


Did you build Squid with libcap2-dev installed on the system?


If you start Squid with the -X option is there anything about spoofing or transparent mentioned?

Amos



Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9

Marko Kotar wrote:

Just curious which kernel version are u using?



--- On Thu, 10/29/09, Dan <d...@xxxxxxxx> wrote:


From: Dan <d...@xxxxxxxx>
Subject: Re:  Tproxy4+squid: ebtables wiki
To: "Marko Kotar" <kotarma...@xxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxx
Date: Thursday, October 29, 2009, 5:24 PM
Those are the same ebtable and

iptable rules that I am using except that I use DROP. If it is working for you then that is great. :) As for why

it works that way I don't know.  When I use ACCEPT the
traffic is bridged through and not redirected to squid.

Thanks,

Irvan Adrian

Marko Kotar wrote:

   Ok
   My ebtable rules are(without -i option):
   ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT

     ebtables -t broute -A BROUTING -p ipv4
--ip-proto tcp --ip-sport 80 -j redirect --redirect-target
ACCEPT

   This might be the different:
   Bridge is up and it is having an ip address. Ethernet
interfaces are up but not having any ip address asigned.

   ifconfig eth0 up promisc
   ...
   bridge interface is configured with dhclient:
   dhclient3 br0

   This rules are for the routing;
   ip rule add fwmark 1 lookup 100
   ip route add local 0.0.0.0/0 dev lo table 100
   And:
   echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
   echo 1 > /proc/sys/net/ipv4/ip_forward

   iptables are:
   iptables -t mangle -N DIVERT
   iptables -t mangle -A DIVERT -j MARK --set-mark 1
   iptables -t mangle -A DIVERT -j ACCEPT
   iptables -t mangle -A PREROUTING -p tcp -m socket -j
DIVERT

   iptables -t mangle -A PREROUTING -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

   squid configuration is default, except
   acl allow all
   and port is set to the same address as in iptables,
and having TPROXY set.

   I am using: 2.6.28-16-server x86_64 ubuntu, default or
compiled ebtables v2.0.9-1 (June 2009), compiled iptables
v1.4.5,

   Squid Cache: Version 3.1.0.14
   configure options:  '--enable-linux-netfilter'
--with-squid=/home/marko/src/squid-3.1.0.14
--enable-ltdl-convenience

   configured ony with additional linux-netfilter flag

   I've used various network configurations:
   -virtual computer using VmBox with virtual interface
in the linux bridge on guest pc.

   -computer with two interfaces.
   -double bridged vmbox: two virtual machines: first
having 2 virtual interfaces. birdged and having sqiud.
second virtual pc being client with one virtual interface.
one interface of first was bridged on guest computer to
external interface, other two were bridged together.

   Drop didn't work in any of them, accept was tested
only in first.

     i think thats all the settings i have.


   --- On Wed, 10/28/09, Dan <d...@xxxxxxxx>
wrote:

       From: Dan <d...@xxxxxxxx>
       Subject: Re:  Tproxy4+squid: ebtables
wiki

       To: "Marko Kotar" <kotarma...@xxxxxxxxx>,
squid-users@xxxxxxxxxxxxxxx

       Date: Wednesday, October 28, 2009, 9:21 PM
       Marko Kotar wrote:
Thanks.

           "redirect

           The redirect target will change the MAC target
address

       to that of the bridge device the frame arrived on.
This

       target can only be used in the BROUTING chain of
the broute

       table and the PREROUTING chain of the nat table.
In the

       BROUTING chain, the MAC address of the bridge port
is used

       as destination address, in the PREROUTING chain,
the MAC

       address of the bridge is used.
--redirect-target target

                 Specifies the standard
target.

       After doing the MAC redirect, the rule still has
to give a

       standard target so ebtables knows what to do. The
default

       target is ACCEPT. Making it CONTINUE could let you
use

       multiple target extensions on the same frame.
Making it DROP

       in the BROUTING chain will let the frames be
routed. RETURN

       is also allowed. Note that using RETURN in a base
chain is

       not allowed."

           I think: If accept is used it goes in the
tproxy

       because dst mac is changed to bridge address. (So
it goes up

       as it would if client had  gateway configured
to that

       machine?) But is also should drop work?
       I decided to test it. I changed my rule to ACCEPT
and

       traffic passes but not through the proxy.
My

       access.log shows no new traffic after changing
the

       rule.  DROP is what passes the frame off to
       iptables.  Could you show all your
rules? If

       squid is receiving the traffic the only thing I
can think of

       is that maybe there is another rule further down
the chain

       that cause the frame to be routed.

I have tryed drop but it didn't work. I didn't get

       through any traffic.
If i didn't use any of ebtable rules it went through.

           But accept works.  --- On Wed, 10/28/09,
Dan

       <d...@xxxxxxxx>
       wrote:
From: Dan <d...@xxxxxxxx>
               Subject: Re:  Tproxy4+squid:
ebtables

       wiki
To: "Marko Kotar" <kotarma...@xxxxxxxxx>
               Cc: squid-users@xxxxxxxxxxxxxxx
               Date: Wednesday, October 28, 2009, 1:03
AM

               Marko Kotar wrote:
Hi,
                   You have incorrect commands in squid
wiki for

       tproxy4
ebtables: I figure out that it is not "--redirect-target

       DROP"
but it is "--redirect-target ACCEPT" .

               With ebtables using broute ACCEPT and DROP
have

       special
meanings. DROP means route the frame and

       ACCEPT means bridge the frame.
http://ebtables.sourceforge.net/misc/ebtables-man.html

There is a "-j REDIRECT" which should be in

       lowercase
letters "-j redirect". Thanks for guide.

                   Marko



Dan





--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
  Current Beta Squid 3.1.0.14

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux