Search squid archive

TPROXY4 + Fedora 13

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Guys, first post. 

I know there is a lot of material about configuring Squid in Interception Mode in the wiki / lists, like others I'm struggling to understand where problems might exist, currently I have only got as far as routing, ideally I would like a bridged solution.  I want to describe completely what my configuration is I think this maybe useful to other users.   

I have based my installation on the information on this page: http://wiki.squid-cache.org/Features/Tproxy4 Overall I think the posting is clear, I think it could be improved by adding commands that demonstrate whether the configuration just applied succeeded or not.

My approach is that ideally I could use a distro for the base and inherit everything I need without having to compile code / kernel / etc.

Using Fedora 13 I get the following binaries, comparing these to the prereqs the are all > the defined versions:

Kernel: 2.6.33.5-124
iptables: 1.4.7-2
Squid: 3.1.4-2
libcap: 2.17-1


The Fedora 13 distro has the following Kernel options set:

CONFIG_NF_CONNTRACK=y
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m


>From the squid.spec from the src rpm shipped with Fedora 13 i.e. squid-3.1.4-2.fc13.src.rpm I can see that the enable linux netfilter is configured


...
...

%ifnarch ppc64 ia64 x86_64 s390x

   --with-large-files \

 %endif
--enable-linux-netfilter \

 --enable-referer-log \

 --enable-removal-policies="heap,lru" \

 --enable-snmp \

...
...


lsmod on the Squid Host shows tproxy module loaded.

Module                  Size  Used by
sunrpc                192013  1 
cpufreq_ondemand        8420  4 
acpi_cpufreq            7477  1 
freq_table              3851  2 cpufreq_ondemand,acpi_cpufreq
iptable_nat             5420  0 
nf_nat                 19059  1 iptable_nat
xt_TPROXY               2102  1 
xt_socket               2525  1 
nf_tproxy_core          2163  2 xt_TPROXY,xt_socket,[permanent]
xt_MARK                 1007  1 
iptable_mangle          3107  1 
ip6t_REJECT             4055  2 
nf_conntrack_ipv6      17513  2 
ip6table_filter         2743  1 
ip6_tables             16558  1 ip6table_filter
ipv6                  267033  36 ip6t_REJECT,nf_conntrack_ipv6
uinput                  7230  0 
tg3                   103314  0 
pl2303                 14822  0 
usbserial              32421  1 pl2303
i3200_edac              3104  0 
serio_raw               4539  0 
edac_core              37487  2 i3200_edac
iTCO_wdt               10864  0 
iTCO_vendor_support     2451  1 iTCO_wdt
i2c_i801               10086  0 
microcode              17930  0 
radeon                589438  0 
ttm                    53215  1 radeon
drm_kms_helper         23936  1 radeon
drm                   169073  3 radeon,ttm,drm_kms_helper
i2c_algo_bit            4781  1 radeon
i2c_core               24507  5 i2c_i801,radeon,drm_kms_helper,drm,i2c_algo_bit






My setup is as follows:

Client (172.27.5.109) -> Squid Host (172.27.5.104) -> Gateway (172.27.5.1)

Internet access from Squid Host is working correctly.




# cat /proc/sys/net/ipv4/conf/lo/rp_filter; cat /proc/sys/net/ipv4/ip_forward
0
1


I modified the default /etc/squid/squid.conf and added the following:

acl our_networks src 172.27.1.0/24 172.27.2.0/24 172.27.3.0/24 172.27.4.0/24 172.27.5.0/24 172.27.6.0/24 172.27.7.0/24
http_access allow our_networks

...

# Squid normally listens to port 3128
http_port 3128
http_port 3129 tproxy


I was getting an error about TPROXY not being present, I disabled selinux as suggested in the wiki page and startup proceeded ok. 



Start Squid and netstat the port 3128 is there and I can connect directly to it and get back content (access.log / cache.log content is as expected)


Completing the router configuration as per http://wiki.squid-cache.org/Features/Tproxy4#iptables on a Router device  I get the following:

ip rule show 
0:	from all lookup local 
32765:	from all fwmark 0x1 lookup 100 
32766:	from all lookup main 
32767:	from all lookup default




NOTE, should there be more values here? If I do not run ip rule add fwmark 1 lookup 100 I get an empty response no values

# ip route list table 100
local default dev lo  scope host 




Note below as described in wiki DIVERT is before TPROXY in the PREROUTING.

/etc/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0           socket 
2    TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain DIVERT (1 references)
num  target     prot opt source               destination         
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK set 0x1 
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         



# ifconfig 
eth0      Link encap:Ethernet  HWaddr 00:21:5E:4D:CB:9A  
          inet addr:172.27.5.104  Bcast:172.27.5.255  Mask:255.255.255.0
          inet6 addr: fe80::221:5eff:fe4d:cb9a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2116 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1289 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:243203 (237.5 KiB)  TX bytes:219417 (214.2 KiB)
          Interrupt:16 

eth1      Link encap:Ethernet  HWaddr 00:21:5E:4D:CB:9B  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:21 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:240 (240.0 b)  TX bytes:240 (240.0 b)

# ping 0.0.0.0
PING 0.0.0.0 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.042 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.012 ms
^C




In this configuration I can connect directly to 3128 using firefox and return webpages.  Turning the proxy setting off in Firefox the browser hangs then times out.

>From the client if I try to ping an address in the internet the ping hangs. 
  
Any help would be gratefully received,
Damian.


--
Damian O'Neill, Director Software Solutions, BTI Systems, Belfast, UK
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux