On Mon, 09 Nov 2009 20:46:19 +0700, Irvan Adrian K <irvan@xxxxxxxxxxxxxxxxx> wrote: > Dear Mr Amos, thanks for your respond, very helpfull.. > > Amos Jeffries wrote: >> Irvan Adrian K wrote: >>> So, What the solution for these threads ? because i'm in the same >>> trouble to make TPROXY4 work in UBUNTU 9.10 Server >>> >> >> Explicit "Server" release or normal? I have recently found that the >> kernel for normal Ubuntu is missing some routing features needed on a >> end box pretending to be a server. > Server release distribution of UBUNTU 9.10, not desktop one.. as you > know that UBUNTU have several type of distribution : server, desktop, > etc.., and as we analyze that UBUNTU Server > not differ than Debian, and have complete support for TPROXY built in, > without recompile : Good. > > xt_tcpudp 2780 2 > nf_nat 17808 2 iptable_nat,ipt_REDIRECT > nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat > xt_MARK 1884 2 > xt_socket 2556 2 > nf_conntrack 67608 4 > iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket > xt_TPROXY 1948 2 > nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY > nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] > x_tables 16544 10 > ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIRECT,xt_MARK,xt_socket,xt_TPROXY > >>> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables >>> 2.0.9, and until now, following the manual in >>> http://wiki.squid-cache.org, like this : >>> >>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 >>> -j redirect --redirect-target DROP >>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j >>> redirect --redirect-target DROP >>> >>> cd /proc/sys/net/bridge/ >>> for i in * >>> do >>> echo 0 > $i >>> done >>> unset i >>> >>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >>> echo 1 > /proc/sys/net/ipv4/ip_forward >>> >>> iptables are: >>> iptables -t mangle -N DIVERT >>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>> iptables -t mangle -A DIVERT -j ACCEPT >>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >>> --tproxy-mark 0x1/0x1 --on-port 3129 >>> >>> squid configuration is default, except >>> acl allow all >>> >>> After following like above, the iptables counter was increasing >>> redirecting to TPROXY, but there was nothing >>> in the squid, i can't open anything.. >>> >>> But if i change the ebtables --redirect-target ACCEPT, the connection >>> running, but the packet just bridged nothing came to Squid, just like >>> nothing on there.. >> >> Yes. That is why they are "DROP". In BROUTING it means something like; >> DROP off the bridge into the routing code, vs ACCEPT over the bridge. > Yes, we look that, after adding --redirect-target DROP at ebtables, > counter at iptables -j TPROXY increase, like this one : > > 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 socket > 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 > > before DROP at ebtables, there was none packet come to iptables -j TPROXY Good. >> >>> >>> There some one can give the clue, thanks in advance.. >>> >>> R >>> >> >> Did you build Squid with libcap2-dev installed on the system? > UBUNTU prefer libcap-dev rather than libcap2-dev, > > apt-get install libcap2-dev > Reading package lists... Done > Building dependency tree > Reading state information... Done > Note, selecting libcap-dev instead of libcap2-dev > libcap-dev is already the newest version. I think this means they publish the code for libcap version 2.x in the libcap-dev package. I hope so anyway, since later releases will require functionality in version 2.x of libcap to build. For now that should be fine. >> >> >> If you start Squid with the -X option is there anything about spoofing >> or transparent mentioned? > > 2009/11/09 08:43:17.338| Processing: 'http_port 3128 ' > 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128 > 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: > [::]:3128 > 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy' > 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129 > 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: > [::]:3129 > 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129 > 2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129 (IP > spoofing enabled) > 2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129 > 2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support. > 2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support. > 2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using. > Okay. And no sign of anything saying "Stopping full transparency: "... Thats a good sign that its working up to and into Squid. Amos
