I have rebuilt the server using slackware 13, iptables 1.4.5, kernel 2.6.29.6 and squid 3.1.0.14. This was actually a pretty easy build since tproxy 4 was included already in iptables and kernel support. I get a little further this time. After following the wiki I see connections coming in on netstat and printouts in the access_ log: 1257947020.539 33055 128.226.234.75 TCP_MISS/200 7042 GET http://www.imdb.com/ - DIRECT/72.21.211.32 text/html 1257947067.327 189510 128.226.234.43 TCP_MISS/200 5559 GET http://www.cnn.com/ - DIRECT/157.166.226.25 text/html But I get nothing on the user end, and eventually I stop seeing things showing up in the access log. Any ideas on what to look at? Thanks, --Joe -----Original Message----- From: Irvan Adrian K [mailto:irvan@xxxxxxxxxxxxxxxxx] Sent: Monday, November 09, 2009 5:05 PM To: Dan Cc: Roth, Joe; Amos Jeffries; squid-users@xxxxxxxxxxxxxxx Subject: Re: Tproxy4+squid: ebtables wiki Wow, thanks for the sharing, Dan.. it's very informative for me to know that.. because i have been working for 2 weeks till know, very desperated.. i have been using Debian 5 Lenny and Ubuntu 9.04 and 9.10, and so far nothing work :(, .. all the configuration i have tried, and i have been recompile many kernel from 2.6.20 - 2.6.25, 2.6.29. 2.6.31, and so far there was no solution at all.. Same to me, i have been using Debian and Ubuntu server for all my server since a long time, and so hard for me to change different distro, but learning from you, i have to try Fedora or may be CentOS, for TPROXY.. Thanks, Irvan Adrian Dan wrote: > To throw in my 2 cents. I have tried to using both ubuntu server 9.04 > and 9.10 neither of them I could get to work. I experienced the same > problem. So to make sure it wasn't me making a mistake somewhere I > tried the same config and setup on Fedora and that worked fine. So > being lazy I just went with that. I am very interested in getting > TPROXY to work with ubuntu server as I prefer it as my server OS. > > Roth, Joe wrote: >> So it sounds like this is a problem with ubuntu 9.10 in general? I am >> running the server version as well, everything looks to be compiled >> properly, dmesg shows TPROXY starting, squid shoq IP spoofing to be >> starting as well. >> >> -----Original Message----- >> From: Irvan Adrian K [mailto:irvan@xxxxxxxxxxxxxxxxx] Sent: Monday, >> November 09, 2009 8:46 AM >> To: Amos Jeffries >> Cc: squid-users@xxxxxxxxxxxxxxx >> Subject: Re: Tproxy4+squid: ebtables wiki >> >> Dear Mr Amos, thanks for your respond, very helpfull.. >> >> Amos Jeffries wrote: >> >>> Irvan Adrian K wrote: >>> >>>> So, What the solution for these threads ? because i'm in the same >>>> trouble to make TPROXY4 work in UBUNTU 9.10 Server >>>> >>>> >>> Explicit "Server" release or normal? I have recently found that the >>> kernel for normal Ubuntu is missing some routing features needed on >>> a end box pretending to be a server. >>> >> Server release distribution of UBUNTU 9.10, not desktop one.. as you >> know that UBUNTU have several type of distribution : server, desktop, >> etc.., and as we analyze that UBUNTU Server >> not differ than Debian, and have complete support for TPROXY built >> in, without recompile : >> >> xt_tcpudp 2780 2 >> nf_nat 17808 2 iptable_nat,ipt_REDIRECT >> nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat >> xt_MARK 1884 2 >> xt_socket 2556 2 >> nf_conntrack 67608 4 >> iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket >> xt_TPROXY 1948 2 >> nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY >> nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] >> x_tables 16544 10 >> ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC >> T,xt_MARK,xt_socket,xt_TPROXY >> >> >>>> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables >>>> 2.0.9, and until now, following the manual in >>>> http://wiki.squid-cache.org, like this : >>>> >>>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 >>>> -j redirect --redirect-target DROP >>>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 >>>> >> -j >> >>>> redirect --redirect-target DROP >>>> >>>> cd /proc/sys/net/bridge/ >>>> for i in * >>>> do >>>> echo 0 > $i >>>> done >>>> unset i >>>> >>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >>>> echo 1 > /proc/sys/net/ipv4/ip_forward >>>> >>>> iptables are: >>>> iptables -t mangle -N DIVERT >>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>>> iptables -t mangle -A DIVERT -j ACCEPT >>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >>>> --tproxy-mark 0x1/0x1 --on-port 3129 >>>> >>>> squid configuration is default, except >>>> acl allow all >>>> >>>> After following like above, the iptables counter was increasing >>>> redirecting to TPROXY, but there was nothing >>>> in the squid, i can't open anything.. >>>> >>>> But if i change the ebtables --redirect-target ACCEPT, the connection >>>> >> >> >>>> running, but the packet just bridged nothing came to Squid, just like >>>> >> >> >>>> nothing on there.. >>>> >>> Yes. That is why they are "DROP". In BROUTING it means something like; >>> >> >> >>> DROP off the bridge into the routing code, vs ACCEPT over the bridge. >>> >> Yes, we look that, after adding --redirect-target DROP at ebtables, >> counter at iptables -j TPROXY increase, like this one : >> >> 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 socket >> 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 >> >> before DROP at ebtables, there was none packet come to iptables -j >> TPROXY >> >>>> There some one can give the clue, thanks in advance.. >>>> >>>> R >>>> >>>> >>> Did you build Squid with libcap2-dev installed on the system? >>> >> UBUNTU prefer libcap-dev rather than libcap2-dev, >> >> apt-get install libcap2-dev >> Reading package lists... Done >> Building dependency tree >> Reading state information... Done >> Note, selecting libcap-dev instead of libcap2-dev >> libcap-dev is already the newest version. >> >>> If you start Squid with the -X option is there anything about spoofing >>> >> >> >>> or transparent mentioned? >>> >> >> 2009/11/09 08:43:17.338| Processing: 'http_port 3128 ' >> 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128 >> 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: >> >> [::]:3128 >> 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy' >> 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129 >> 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: >> >> [::]:3129 >> 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129 >> 2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129 >> (IP spoofing enabled) >> 2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129 >> 2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support. >> 2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support. >> 2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using. >> >> >> Thanks, >> >> Irvan Adrian >> >>> Amos >>> >>> >>>> Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9 >>>> >>>> Marko Kotar wrote: >>>> >>>> Just curious which kernel version are u using? >>>> >>>> >>>> >>>> --- On Thu, 10/29/09, Dan <d...@xxxxxxxx> wrote: >>>> >>>> >>>> From: Dan <d...@xxxxxxxx> >>>> Subject: Re: Tproxy4+squid: ebtables wiki >>>> To: "Marko Kotar" <kotarma...@xxxxxxxxx> >>>> Cc: squid-users@xxxxxxxxxxxxxxx >>>> Date: Thursday, October 29, 2009, 5:24 PM >>>> Those are the same ebtable and >>>> >>>> iptable rules that I am using except that I use DROP. If it is >>>> working for you then that is great. :) As for why >>>> >>>> it works that way I don't know. When I use ACCEPT the >>>> traffic is bridged through and not redirected to squid. >>>> >>>> Thanks, >>>> >>>> Irvan Adrian >>>> >>>> Marko Kotar wrote: >>>> >>>> Ok >>>> My ebtable rules are(without -i option): >>>> ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp >>>> --ip-dport 80 -j redirect --redirect-target ACCEPT >>>> >>>> ebtables -t broute -A BROUTING -p ipv4 >>>> --ip-proto tcp --ip-sport 80 -j redirect --redirect-target >>>> ACCEPT >>>> >>>> This might be the different: >>>> Bridge is up and it is having an ip address. Ethernet >>>> interfaces are up but not having any ip address asigned. >>>> >>>> ifconfig eth0 up promisc >>>> ... >>>> bridge interface is configured with dhclient: >>>> dhclient3 br0 >>>> >>>> This rules are for the routing; >>>> ip rule add fwmark 1 lookup 100 >>>> ip route add local 0.0.0.0/0 dev lo table 100 >>>> And: >>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >>>> echo 1 > /proc/sys/net/ipv4/ip_forward >>>> >>>> iptables are: >>>> iptables -t mangle -N DIVERT >>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>>> iptables -t mangle -A DIVERT -j ACCEPT >>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j >>>> DIVERT >>>> >>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j >>>> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 >>>> >>>> squid configuration is default, except >>>> acl allow all >>>> and port is set to the same address as in iptables, >>>> and having TPROXY set. >>>> >>>> I am using: 2.6.28-16-server x86_64 ubuntu, default or >>>> compiled ebtables v2.0.9-1 (June 2009), compiled iptables >>>> v1.4.5, >>>> >>>> Squid Cache: Version 3.1.0.14 >>>> configure options: '--enable-linux-netfilter' >>>> --with-squid=/home/marko/src/squid-3.1.0.14 >>>> --enable-ltdl-convenience >>>> >>>> configured ony with additional linux-netfilter flag >>>> >>>> I've used various network configurations: >>>> -virtual computer using VmBox with virtual interface >>>> in the linux bridge on guest pc. >>>> >>>> -computer with two interfaces. >>>> -double bridged vmbox: two virtual machines: first >>>> having 2 virtual interfaces. birdged and having sqiud. >>>> second virtual pc being client with one virtual interface. >>>> one interface of first was bridged on guest computer to >>>> external interface, other two were bridged together. >>>> >>>> Drop didn't work in any of them, accept was tested >>>> only in first. >>>> >>>> i think thats all the settings i have. >>>> >>>> >>>> --- On Wed, 10/28/09, Dan <d...@xxxxxxxx> >>>> wrote: >>>> >>>> From: Dan <d...@xxxxxxxx> >>>> Subject: Re: Tproxy4+squid: ebtables >>>> wiki >>>> >>>> To: "Marko Kotar" <kotarma...@xxxxxxxxx>, >>>> squid-users@xxxxxxxxxxxxxxx >>>> >>>> Date: Wednesday, October 28, 2009, 9:21 PM >>>> Marko Kotar wrote: >>>> Thanks. >>>> >>>> "redirect >>>> >>>> The redirect target will change the MAC target >>>> address >>>> >>>> to that of the bridge device the frame arrived on. >>>> This >>>> >>>> target can only be used in the BROUTING chain of >>>> the broute >>>> >>>> table and the PREROUTING chain of the nat table. >>>> In the >>>> >>>> BROUTING chain, the MAC address of the bridge port >>>> is used >>>> >>>> as destination address, in the PREROUTING chain, >>>> the MAC >>>> >>>> address of the bridge is used. >>>> --redirect-target target >>>> >>>> Specifies the standard >>>> target. >>>> >>>> After doing the MAC redirect, the rule still has >>>> to give a >>>> >>>> standard target so ebtables knows what to do. The >>>> default >>>> >>>> target is ACCEPT. Making it CONTINUE could let you >>>> use >>>> >>>> multiple target extensions on the same frame. >>>> Making it DROP >>>> >>>> in the BROUTING chain will let the frames be >>>> routed. RETURN >>>> >>>> is also allowed. Note that using RETURN in a base >>>> chain is >>>> >>>> not allowed." >>>> >>>> I think: If accept is used it goes in the >>>> tproxy >>>> >>>> because dst mac is changed to bridge address. (So >>>> it goes up >>>> >>>> as it would if client had gateway configured >>>> to that >>>> >>>> machine?) But is also should drop work? >>>> I decided to test it. I changed my rule to ACCEPT >>>> and >>>> >>>> traffic passes but not through the proxy. >>>> My >>>> >>>> access.log shows no new traffic after changing >>>> the >>>> >>>> rule. DROP is what passes the frame off to >>>> iptables. Could you show all your >>>> rules? If >>>> >>>> squid is receiving the traffic the only thing I >>>> can think of >>>> >>>> is that maybe there is another rule further down >>>> the chain >>>> >>>> that cause the frame to be routed. >>>> >>>> I have tryed drop but it didn't work. I didn't >>>> get >>>> >>>> through any traffic. >>>> If i didn't use any of ebtable rules it went >>>> through. >>>> >>>> But accept works. --- On Wed, 10/28/09, >>>> Dan >>>> >>>> <d...@xxxxxxxx> >>>> wrote: >>>> From: Dan <d...@xxxxxxxx> >>>> Subject: Re: Tproxy4+squid: >>>> ebtables >>>> >>>> wiki >>>> To: "Marko Kotar" <kotarma...@xxxxxxxxx> >>>> Cc: squid-users@xxxxxxxxxxxxxxx >>>> Date: Wednesday, October 28, 2009, 1:03 >>>> AM >>>> >>>> Marko Kotar wrote: >>>> Hi, >>>> You have incorrect commands in squid >>>> wiki for >>>> >>>> tproxy4 >>>> ebtables: >>>> I figure out that it is not >>>> "--redirect-target >>>> >>>> DROP" >>>> but it is "--redirect-target ACCEPT" >>>> . >>>> >>>> With ebtables using broute ACCEPT and DROP >>>> have >>>> >>>> special >>>> meanings. DROP means route the frame >>>> and >>>> >>>> ACCEPT means bridge the frame. >>>> >>>> http://ebtables.sourceforge.net/misc/ebtables-man.html >>>> >>>> There is a "-j REDIRECT" >>>> which should >>>> be in >>>> >>>> lowercase >>>> letters "-j redirect". >>>> Thanks for guide. >>>> >>>> Marko >>>> >>>> >>>> >>>> Dan >>>> >>>> >>>> >>>> >>> >> >> > >
