Dear Amos,
Everthing should be 'working properly' but in fact, there no one packet
arriving on tproxy of squid, after packet come
into iptables :
1451 69360 TPROXY tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
as we can see that have been 1451 packet come into iptables, but there
was nothing come to acces.log on squid, and none of our client
can connect to Internet.. except clear ebtables :
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
redirect --redirect-target DROP
but after we cleared, the server just function like a bridge, the packet
not come into iptables (packet counters of iptables still at zero),
and there was nothing in access.log on squid,
Today we want to try using CentOS 5.4. and soon after we install and
configure it with TPROXY, and test it, i will post it in here right a
way.. wish me luck :p
Irvan Adrian
Everything
Amos Jeffries wrote:
On Mon, 09 Nov 2009 20:46:19 +0700, Irvan Adrian K
<irvan@xxxxxxxxxxxxxxxxx> wrote:
Dear Mr Amos, thanks for your respond, very helpfull..
Amos Jeffries wrote:
Irvan Adrian K wrote:
So, What the solution for these threads ? because i'm in the same
trouble to make TPROXY4 work in UBUNTU 9.10 Server
Explicit "Server" release or normal? I have recently found that the
kernel for normal Ubuntu is missing some routing features needed on a
end box pretending to be a server.
Server release distribution of UBUNTU 9.10, not desktop one.. as you
know that UBUNTU have several type of distribution : server, desktop,
etc.., and as we analyze that UBUNTU Server
not differ than Debian, and have complete support for TPROXY built in,
without recompile :
Good.
xt_tcpudp 2780 2
nf_nat 17808 2 iptable_nat,ipt_REDIRECT
nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat
xt_MARK 1884 2
xt_socket 2556 2
nf_conntrack 67608 4
iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket
xt_TPROXY 1948 2
nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY
nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent]
x_tables 16544 10
ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIRECT,xt_MARK,xt_socket,xt_TPROXY
I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables
2.0.9, and until now, following the manual in
http://wiki.squid-cache.org, like this :
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP
ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j
redirect --redirect-target DROP
cd /proc/sys/net/bridge/
for i in *
do
echo 0 > $i
done
unset i
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables are:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
squid configuration is default, except
acl allow all
After following like above, the iptables counter was increasing
redirecting to TPROXY, but there was nothing
in the squid, i can't open anything..
But if i change the ebtables --redirect-target ACCEPT, the connection
running, but the packet just bridged nothing came to Squid, just like
nothing on there..
Yes. That is why they are "DROP". In BROUTING it means something like;
DROP off the bridge into the routing code, vs ACCEPT over the bridge.
Yes, we look that, after adding --redirect-target DROP at ebtables,
counter at iptables -j TPROXY increase, like this one :
12830 3896K DIVERT tcp -- * * 0.0.0.0/0
0.0.0.0/0 socket
1451 69360 TPROXY tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
before DROP at ebtables, there was none packet come to iptables -j
TPROXY
Good.
There some one can give the clue, thanks in advance..
R
Did you build Squid with libcap2-dev installed on the system?
UBUNTU prefer libcap-dev rather than libcap2-dev,
apt-get install libcap2-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting libcap-dev instead of libcap2-dev
libcap-dev is already the newest version.
I think this means they publish the code for libcap version 2.x in the
libcap-dev package. I hope so anyway, since later releases will require
functionality in version 2.x of libcap to build.
For now that should be fine.
If you start Squid with the -X option is there anything about spoofing
or transparent mentioned?
2009/11/09 08:43:17.338| Processing: 'http_port 3128 '
2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128
2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address:
[::]:3128
2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy'
2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129
2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address:
[::]:3129
2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129
2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129 (IP
spoofing enabled)
2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129
2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support.
2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support.
2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using.
Okay. And no sign of anything saying "Stopping full transparency: "...
Thats a good sign that its working up to and into Squid.
Amos
