Another thing: Did you compile squid with netfilter configure option? Did you set TPROXY on the port? --- On Mon, 11/9/09, Irvan Adrian K <irvan@xxxxxxxxxxxxxxxxx> wrote: > From: Irvan Adrian K <irvan@xxxxxxxxxxxxxxxxx> > Subject: Re: Tproxy4+squid: ebtables wiki > To: squid-users@xxxxxxxxxxxxxxx > Date: Monday, November 9, 2009, 12:48 PM > So, What the solution for these > threads ? because i'm in the same trouble to make > TPROXY4 work in UBUNTU 9.10 Server > > I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, > ebtables 2.0.9, and until now, following the manual in http://wiki.squid-cache.org, like this : > > ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp > --ip-dport 80 > -j redirect --redirect-target DROP > ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp > --ip-sport 80 -j > redirect --redirect-target DROP > > cd /proc/sys/net/bridge/ > for i in * > do > echo 0 > $i > done > unset i > > echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter > echo 1 > /proc/sys/net/ipv4/ip_forward > > iptables are: > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp -m socket -j > DIVERT > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j > TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 > > squid configuration is default, except > acl allow all > > After following like above, the iptables counter was > increasing redirecting to TPROXY, but there was nothing > in the squid, i can't open anything.. > > But if i change the ebtables --redirect-target ACCEPT, the > connection running, but the packet just bridged nothing came > to Squid, just like nothing on there.. > > There some one can give the clue, thanks in advance.. > > R > > > > Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables > 2.0.9 > > Marko Kotar wrote: > > Just curious which kernel version are u using? > > > > --- On Thu, 10/29/09, Dan <d...@xxxxxxxx> > wrote: > > > From: Dan <d...@xxxxxxxx> > Subject: Re: Tproxy4+squid: ebtables wiki > To: "Marko Kotar" <kotarma...@xxxxxxxxx> > Cc: squid-users@xxxxxxxxxxxxxxx > Date: Thursday, October 29, 2009, 5:24 PM > Those are the same ebtable and > > iptable rules that I am using except that I use DROP. If it > is working for you then that is great. :) As for why > > it works that way I don't know. When I use ACCEPT > the > traffic is bridged through and not redirected to squid. > > Thanks, > > Irvan Adrian > > Marko Kotar wrote: > > Ok > My ebtable rules are(without -i option): > ebtables -t broute -A BROUTING -p ipv4 > --ip-proto tcp > > --ip-dport 80 -j redirect --redirect-target ACCEPT > > ebtables -t broute -A BROUTING -p > ipv4 > > --ip-proto tcp --ip-sport 80 -j redirect --redirect-target > ACCEPT > > This might be the different: > Bridge is up and it is having an ip > address. Ethernet > > interfaces are up but not having any ip address asigned. > > ifconfig eth0 up promisc > ... > bridge interface is configured with > dhclient: > dhclient3 br0 > > This rules are for the routing; > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table > 100 > And: > echo 0 > > /proc/sys/net/ipv4/conf/lo/rp_filter > echo 1 > > /proc/sys/net/ipv4/ip_forward > > iptables are: > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK > --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp > -m socket -j > > DIVERT > > iptables -t mangle -A PREROUTING -p tcp > --dport 80 -j > > TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 > > squid configuration is default, except > acl allow all > and port is set to the same address as in > iptables, > > and having TPROXY set. > > I am using: 2.6.28-16-server x86_64 > ubuntu, default or > > compiled ebtables v2.0.9-1 (June 2009), compiled iptables > v1.4.5, > > Squid Cache: Version 3.1.0.14 > configure options: > '--enable-linux-netfilter' > > --with-squid=/home/marko/src/squid-3.1.0.14 > --enable-ltdl-convenience > > configured ony with additional > linux-netfilter flag > > I've used various network > configurations: > -virtual computer using VmBox with > virtual interface > > in the linux bridge on guest pc. > > -computer with two interfaces. > -double bridged vmbox: two virtual > machines: first > > having 2 virtual interfaces. birdged and having sqiud. > second virtual pc being client with one virtual interface. > one interface of first was bridged on guest computer to > external interface, other two were bridged together. > > Drop didn't work in any of them, accept > was tested > > only in first. > > i think thats all the settings i > have. > > > --- On Wed, 10/28/09, Dan <d...@xxxxxxxx> > > wrote: > > From: Dan <d...@xxxxxxxx> > Subject: Re: > Tproxy4+squid: ebtables > > wiki > > To: "Marko Kotar" <kotarma...@xxxxxxxxx>, > > squid-users@xxxxxxxxxxxxxxx > > Date: Wednesday, October > 28, 2009, 9:21 PM > Marko Kotar wrote: > > Thanks. > > "redirect > > The redirect > target will change the MAC target > > > address > > to that of the bridge > device the frame arrived on. > > This > > target can only be used in > the BROUTING chain of > > the broute > > table and the PREROUTING > chain of the nat table. > > In the > > BROUTING chain, the MAC > address of the bridge port > > is used > > as destination address, in > the PREROUTING chain, > > the MAC > > address of the bridge is > used. > > > --redirect-target target > > > Specifies the standard > > > target. > > After doing the MAC > redirect, the rule still has > > to give a > > standard target so ebtables > knows what to do. The > > default > > target is ACCEPT. Making it > CONTINUE could let you > > use > > multiple target extensions > on the same frame. > > Making it DROP > > in the BROUTING chain will > let the frames be > > routed. RETURN > > is also allowed. Note that > using RETURN in a base > > chain is > > not allowed." > > I think: If > accept is used it goes in the > > > tproxy > > because dst mac is changed > to bridge address. (So > > it goes up > > as it would if client > had gateway configured > > to that > > machine?) But is also > should drop work? > I decided to test it. I > changed my rule to ACCEPT > > and > > traffic passes but not > through the proxy. > My > > access.log shows no new > traffic after changing > > the > > rule. DROP is what > passes the frame off to > iptables. Could you > show all your > > rules? If > > squid is receiving the > traffic the only thing I > > can think of > > is that maybe there is > another rule further down > > the chain > > that cause the frame to be > routed. > > > I have tryed > drop but it didn't work. I didn't > > > get > > through any traffic. > > If i didn't > use any of ebtable rules it went > > > through. > > But accept > works. --- On Wed, 10/28/09, > > > Dan > > <d...@xxxxxxxx> > wrote: > > > From: Dan <d...@xxxxxxxx> > > Subject: Re: Tproxy4+squid: > > > ebtables > > wiki > > > To: "Marko Kotar" <kotarma...@xxxxxxxxx> > > Cc: squid-users@xxxxxxxxxxxxxxx > > Date: Wednesday, October 28, 2009, 1:03 > > > AM > > > Marko Kotar wrote: > > > > Hi, > > You have incorrect commands in squid > > > wiki for > > tproxy4 > > > ebtables: > > > > I figure out that it is not > > > "--redirect-target > > DROP" > > > but it is "--redirect-target > ACCEPT" > > > . > > > With ebtables using broute ACCEPT and > DROP > > > have > > special > > > meanings. DROP means route the > frame > > > and > > ACCEPT means bridge the > frame. > > > http://ebtables.sourceforge.net/misc/ebtables-man.html > > > > > There is a "-j REDIRECT" which should > > > be in > > lowercase > > > letters "-j redirect". > > > > Thanks for guide. > > > Marko > > > > > > Dan > > > >
