So it sounds like this is a problem with ubuntu 9.10 in general? I am running the server version as well, everything looks to be compiled properly, dmesg shows TPROXY starting, squid shoq IP spoofing to be starting as well. -----Original Message----- From: Irvan Adrian K [mailto:irvan@xxxxxxxxxxxxxxxxx] Sent: Monday, November 09, 2009 8:46 AM To: Amos Jeffries Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: Tproxy4+squid: ebtables wiki Dear Mr Amos, thanks for your respond, very helpfull.. Amos Jeffries wrote: > Irvan Adrian K wrote: >> So, What the solution for these threads ? because i'm in the same >> trouble to make TPROXY4 work in UBUNTU 9.10 Server >> > > Explicit "Server" release or normal? I have recently found that the > kernel for normal Ubuntu is missing some routing features needed on a > end box pretending to be a server. Server release distribution of UBUNTU 9.10, not desktop one.. as you know that UBUNTU have several type of distribution : server, desktop, etc.., and as we analyze that UBUNTU Server not differ than Debian, and have complete support for TPROXY built in, without recompile : xt_tcpudp 2780 2 nf_nat 17808 2 iptable_nat,ipt_REDIRECT nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat xt_MARK 1884 2 xt_socket 2556 2 nf_conntrack 67608 4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket xt_TPROXY 1948 2 nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] x_tables 16544 10 ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC T,xt_MARK,xt_socket,xt_TPROXY >> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables >> 2.0.9, and until now, following the manual in >> http://wiki.squid-cache.org, like this : >> >> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 >> -j redirect --redirect-target DROP >> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j >> redirect --redirect-target DROP >> >> cd /proc/sys/net/bridge/ >> for i in * >> do >> echo 0 > $i >> done >> unset i >> >> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >> echo 1 > /proc/sys/net/ipv4/ip_forward >> >> iptables are: >> iptables -t mangle -N DIVERT >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> iptables -t mangle -A DIVERT -j ACCEPT >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >> --tproxy-mark 0x1/0x1 --on-port 3129 >> >> squid configuration is default, except >> acl allow all >> >> After following like above, the iptables counter was increasing >> redirecting to TPROXY, but there was nothing >> in the squid, i can't open anything.. >> >> But if i change the ebtables --redirect-target ACCEPT, the connection >> running, but the packet just bridged nothing came to Squid, just like >> nothing on there.. > > Yes. That is why they are "DROP". In BROUTING it means something like; > DROP off the bridge into the routing code, vs ACCEPT over the bridge. Yes, we look that, after adding --redirect-target DROP at ebtables, counter at iptables -j TPROXY increase, like this one : 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 before DROP at ebtables, there was none packet come to iptables -j TPROXY > >> >> There some one can give the clue, thanks in advance.. >> >> R >> > > Did you build Squid with libcap2-dev installed on the system? UBUNTU prefer libcap-dev rather than libcap2-dev, apt-get install libcap2-dev Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting libcap-dev instead of libcap2-dev libcap-dev is already the newest version. > > > If you start Squid with the -X option is there anything about spoofing > or transparent mentioned? 2009/11/09 08:43:17.338| Processing: 'http_port 3128 ' 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: [::]:3128 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy' 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: [::]:3129 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129 2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129 (IP spoofing enabled) 2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129 2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support. 2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support. 2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using. Thanks, Irvan Adrian > > Amos > >> >> >> Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9 >> >> Marko Kotar wrote: >> >> Just curious which kernel version are u using? >> >> >> >> --- On Thu, 10/29/09, Dan <d...@xxxxxxxx> wrote: >> >> >> From: Dan <d...@xxxxxxxx> >> Subject: Re: Tproxy4+squid: ebtables wiki >> To: "Marko Kotar" <kotarma...@xxxxxxxxx> >> Cc: squid-users@xxxxxxxxxxxxxxx >> Date: Thursday, October 29, 2009, 5:24 PM >> Those are the same ebtable and >> >> iptable rules that I am using except that I use DROP. If it is >> working for you then that is great. :) As for why >> >> it works that way I don't know. When I use ACCEPT the >> traffic is bridged through and not redirected to squid. >> >> Thanks, >> >> Irvan Adrian >> >> Marko Kotar wrote: >> >> Ok >> My ebtable rules are(without -i option): >> ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp >> --ip-dport 80 -j redirect --redirect-target ACCEPT >> >> ebtables -t broute -A BROUTING -p ipv4 >> --ip-proto tcp --ip-sport 80 -j redirect --redirect-target >> ACCEPT >> >> This might be the different: >> Bridge is up and it is having an ip address. Ethernet >> interfaces are up but not having any ip address asigned. >> >> ifconfig eth0 up promisc >> ... >> bridge interface is configured with dhclient: >> dhclient3 br0 >> >> This rules are for the routing; >> ip rule add fwmark 1 lookup 100 >> ip route add local 0.0.0.0/0 dev lo table 100 >> And: >> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >> echo 1 > /proc/sys/net/ipv4/ip_forward >> >> iptables are: >> iptables -t mangle -N DIVERT >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> iptables -t mangle -A DIVERT -j ACCEPT >> iptables -t mangle -A PREROUTING -p tcp -m socket -j >> DIVERT >> >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j >> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 >> >> squid configuration is default, except >> acl allow all >> and port is set to the same address as in iptables, >> and having TPROXY set. >> >> I am using: 2.6.28-16-server x86_64 ubuntu, default or >> compiled ebtables v2.0.9-1 (June 2009), compiled iptables >> v1.4.5, >> >> Squid Cache: Version 3.1.0.14 >> configure options: '--enable-linux-netfilter' >> --with-squid=/home/marko/src/squid-3.1.0.14 >> --enable-ltdl-convenience >> >> configured ony with additional linux-netfilter flag >> >> I've used various network configurations: >> -virtual computer using VmBox with virtual interface >> in the linux bridge on guest pc. >> >> -computer with two interfaces. >> -double bridged vmbox: two virtual machines: first >> having 2 virtual interfaces. birdged and having sqiud. >> second virtual pc being client with one virtual interface. >> one interface of first was bridged on guest computer to >> external interface, other two were bridged together. >> >> Drop didn't work in any of them, accept was tested >> only in first. >> >> i think thats all the settings i have. >> >> >> --- On Wed, 10/28/09, Dan <d...@xxxxxxxx> >> wrote: >> >> From: Dan <d...@xxxxxxxx> >> Subject: Re: Tproxy4+squid: ebtables >> wiki >> >> To: "Marko Kotar" <kotarma...@xxxxxxxxx>, >> squid-users@xxxxxxxxxxxxxxx >> >> Date: Wednesday, October 28, 2009, 9:21 PM >> Marko Kotar wrote: >> Thanks. >> >> "redirect >> >> The redirect target will change the MAC target >> address >> >> to that of the bridge device the frame arrived on. >> This >> >> target can only be used in the BROUTING chain of >> the broute >> >> table and the PREROUTING chain of the nat table. >> In the >> >> BROUTING chain, the MAC address of the bridge port >> is used >> >> as destination address, in the PREROUTING chain, >> the MAC >> >> address of the bridge is used. >> --redirect-target target >> >> Specifies the standard >> target. >> >> After doing the MAC redirect, the rule still has >> to give a >> >> standard target so ebtables knows what to do. The >> default >> >> target is ACCEPT. Making it CONTINUE could let you >> use >> >> multiple target extensions on the same frame. >> Making it DROP >> >> in the BROUTING chain will let the frames be >> routed. RETURN >> >> is also allowed. Note that using RETURN in a base >> chain is >> >> not allowed." >> >> I think: If accept is used it goes in the >> tproxy >> >> because dst mac is changed to bridge address. (So >> it goes up >> >> as it would if client had gateway configured >> to that >> >> machine?) But is also should drop work? >> I decided to test it. I changed my rule to ACCEPT >> and >> >> traffic passes but not through the proxy. >> My >> >> access.log shows no new traffic after changing >> the >> >> rule. DROP is what passes the frame off to >> iptables. Could you show all your >> rules? If >> >> squid is receiving the traffic the only thing I >> can think of >> >> is that maybe there is another rule further down >> the chain >> >> that cause the frame to be routed. >> >> I have tryed drop but it didn't work. I didn't >> get >> >> through any traffic. >> If i didn't use any of ebtable rules it went >> through. >> >> But accept works. --- On Wed, 10/28/09, >> Dan >> >> <d...@xxxxxxxx> >> wrote: >> From: Dan <d...@xxxxxxxx> >> Subject: Re: Tproxy4+squid: >> ebtables >> >> wiki >> To: "Marko Kotar" <kotarma...@xxxxxxxxx> >> Cc: squid-users@xxxxxxxxxxxxxxx >> Date: Wednesday, October 28, 2009, 1:03 >> AM >> >> Marko Kotar wrote: >> Hi, >> You have incorrect commands in squid >> wiki for >> >> tproxy4 >> ebtables: >> I figure out that it is not >> "--redirect-target >> >> DROP" >> but it is "--redirect-target ACCEPT" >> . >> >> With ebtables using broute ACCEPT and DROP >> have >> >> special >> meanings. DROP means route the frame >> and >> >> ACCEPT means bridge the frame. >> >> http://ebtables.sourceforge.net/misc/ebtables-man.html >> >> There is a "-j REDIRECT" >> which should >> be in >> >> lowercase >> letters "-j redirect". >> Thanks for guide. >> >> Marko >> >> >> >> Dan >> >> >> > >
