Search squid archive

Re: Tproxy4+squid: ebtables wiki

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 09 Nov 2009 20:46:19 +0700, Irvan Adrian K
<irvan@xxxxxxxxxxxxxxxxx> wrote:
> Dear Mr Amos, thanks for your respond, very helpfull..
> 
> Amos Jeffries wrote:
>> Irvan Adrian K wrote:
>>> So, What the solution for these threads ?  because i'm in the same 
>>> trouble to make TPROXY4 work in UBUNTU 9.10 Server
>>>
>>
>> Explicit "Server" release or normal? I have recently found that the 
>> kernel for normal Ubuntu is missing some routing features needed on a 
>> end box pretending to be a server.
> Server release distribution of UBUNTU 9.10, not desktop one.. as you 
> know that UBUNTU have several type of distribution : server, desktop, 
> etc.., and as we analyze that UBUNTU Server
> not differ than Debian, and have complete support for TPROXY built in, 
> without recompile :

Good.

> 
> xt_tcpudp               2780  2
> nf_nat                 17808  2 iptable_nat,ipt_REDIRECT
> nf_conntrack_ipv4      13352  3 iptable_nat,nf_nat
> xt_MARK                 1884  2
> xt_socket               2556  2
> nf_conntrack           67608  4 
> iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket
> xt_TPROXY               1948  2
> nf_defrag_ipv4          1756  3 nf_conntrack_ipv4,xt_socket,xt_TPROXY
> nf_tproxy_core          2428  2 xt_socket,xt_TPROXY,[permanent]
> x_tables               16544  10 
>
ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIRECT,xt_MARK,xt_socket,xt_TPROXY
> 
>>> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 
>>> 2.0.9, and until now, following the manual in 
>>> http://wiki.squid-cache.org, like this :
>>>
>>> ebtables -t broute -I BROUTING  -p ipv4 --ip-proto tcp --ip-dport 80
>>> -j redirect --redirect-target DROP
>>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
>>> redirect --redirect-target DROP
>>>
>>> cd /proc/sys/net/bridge/
>>> for i in *
>>> do
>>>  echo 0 > $i
>>> done
>>> unset i
>>>
>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>
>>> iptables are:
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY 
>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>
>>> squid configuration is default, except
>>> acl allow all
>>>
>>> After following like above, the iptables counter was increasing 
>>> redirecting to TPROXY, but there was nothing
>>> in the squid, i can't open anything..
>>>
>>> But if i change the ebtables --redirect-target ACCEPT, the connection 
>>> running, but the packet just bridged nothing came to Squid, just like 
>>> nothing on there..
>>
>> Yes. That is why they are "DROP". In BROUTING it means something like; 
>> DROP off the bridge into the routing code, vs ACCEPT over the bridge.
> Yes, we look that, after adding --redirect-target DROP at ebtables, 
> counter at iptables -j TPROXY increase, like this one :
> 
> 12830 3896K DIVERT     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           socket
>  1451 69360 TPROXY     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
> 
> before DROP at ebtables, there was none packet come to iptables -j
TPROXY

Good.

>>
>>>
>>> There some one can give the clue, thanks in advance..
>>>
>>> R
>>>
>>
>> Did you build Squid with libcap2-dev installed on the system?
> UBUNTU prefer libcap-dev rather than libcap2-dev,
> 
> apt-get install libcap2-dev
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> Note, selecting libcap-dev instead of libcap2-dev
> libcap-dev is already the newest version.

I think this means they publish the code for libcap version 2.x in the
libcap-dev package. I hope so anyway, since later releases will require
functionality in version 2.x of libcap to build.

For now that should be fine.

>>
>>
>> If you start Squid with the -X option is there anything about spoofing 
>> or transparent mentioned?
> 
> 2009/11/09 08:43:17.338| Processing: 'http_port 3128 '
> 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128
> 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address:

> [::]:3128
> 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy'
> 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129
> 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address:

> [::]:3129
> 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129
> 2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129 (IP 
> spoofing enabled)
> 2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129
> 2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support.
> 2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support.
> 2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using.
> 

Okay. And no sign of anything saying "Stopping full transparency: "...

Thats a good sign that its working up to and into Squid.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux