Damian O'Neill wrote:
Hi Guys, first post.
I know there is a lot of material about configuring Squid in Interception Mode in the wiki / lists, like others I'm struggling to understand where problems might exist, currently I have only got as far as routing, ideally I would like a bridged solution. I want to describe completely what my configuration is I think this maybe useful to other users.
I have based my installation on the information on this page: http://wiki.squid-cache.org/Features/Tproxy4 Overall I think the posting is clear, I think it could be improved by adding commands that demonstrate whether the configuration just applied succeeded or not.
My approach is that ideally I could use a distro for the base and inherit everything I need without having to compile code / kernel / etc.
Using Fedora 13 I get the following binaries, comparing these to the prereqs the are all > the defined versions:
Kernel: 2.6.33.5-124
iptables: 1.4.7-2
Squid: 3.1.4-2
libcap: 2.17-1
The Fedora 13 distro has the following Kernel options set:
CONFIG_NF_CONNTRACK=y
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
From the squid.spec from the src rpm shipped with Fedora 13 i.e. squid-3.1.4-2.fc13.src.rpm I can see that the enable linux netfilter is configured
...
...
%ifnarch ppc64 ia64 x86_64 s390x
--with-large-files \
%endif
--enable-linux-netfilter \
--enable-referer-log \
--enable-removal-policies="heap,lru" \
--enable-snmp \
...
...
lsmod on the Squid Host shows tproxy module loaded.
Module Size Used by
sunrpc 192013 1
cpufreq_ondemand 8420 4
acpi_cpufreq 7477 1
freq_table 3851 2 cpufreq_ondemand,acpi_cpufreq
iptable_nat 5420 0
nf_nat 19059 1 iptable_nat
xt_TPROXY 2102 1
xt_socket 2525 1
nf_tproxy_core 2163 2 xt_TPROXY,xt_socket,[permanent]
xt_MARK 1007 1
iptable_mangle 3107 1
ip6t_REJECT 4055 2
nf_conntrack_ipv6 17513 2
ip6table_filter 2743 1
ip6_tables 16558 1 ip6table_filter
ipv6 267033 36 ip6t_REJECT,nf_conntrack_ipv6
uinput 7230 0
tg3 103314 0
pl2303 14822 0
usbserial 32421 1 pl2303
i3200_edac 3104 0
serio_raw 4539 0
edac_core 37487 2 i3200_edac
iTCO_wdt 10864 0
iTCO_vendor_support 2451 1 iTCO_wdt
i2c_i801 10086 0
microcode 17930 0
radeon 589438 0
ttm 53215 1 radeon
drm_kms_helper 23936 1 radeon
drm 169073 3 radeon,ttm,drm_kms_helper
i2c_algo_bit 4781 1 radeon
i2c_core 24507 5 i2c_i801,radeon,drm_kms_helper,drm,i2c_algo_bit
My setup is as follows:
Client (172.27.5.109) -> Squid Host (172.27.5.104) -> Gateway (172.27.5.1)
Internet access from Squid Host is working correctly.
# cat /proc/sys/net/ipv4/conf/lo/rp_filter; cat /proc/sys/net/ipv4/ip_forward
0
1
I modified the default /etc/squid/squid.conf and added the following:
acl our_networks src 172.27.1.0/24 172.27.2.0/24 172.27.3.0/24 172.27.4.0/24 172.27.5.0/24 172.27.6.0/24 172.27.7.0/24
http_access allow our_networks
...
# Squid normally listens to port 3128
http_port 3128
http_port 3129 tproxy
I was getting an error about TPROXY not being present, I disabled selinux as suggested in the wiki page and startup proceeded ok.
Start Squid and netstat the port 3128 is there and I can connect directly to it and get back content (access.log / cache.log content is as expected)
Completing the router configuration as per http://wiki.squid-cache.org/Features/Tproxy4#iptables on a Router device I get the following:
ip rule show
0: from all lookup local
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default
NOTE, should there be more values here? If I do not run ip rule add fwmark 1 lookup 100 I get an empty response no values
# ip route list table 100
local default dev lo scope host
Our config made with kernel 2.6.30 on Linux seems to be slightly
deficient on some systems with higher security boundaries between lo and
other devices.
The report on netfilter was that setting "ip route add local 0.0.0.0/0
dev lo table 100" for each different device on the box solved the problem.
NP: just updated wiki to mention this.
<snip>
The rest looks okay, apart form eth1 not having an IP.
In this configuration I can connect directly to 3128 using firefox and return webpages. Turning the proxy setting off in Firefox the browser hangs then times out.
From the client if I try to ping an address in the internet the ping hangs.
That is a sign of some routing network problem right there. ICMP
protocol (ping) is not supposed to be involved with TPROXY (which is
HTTP over TCP only).
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.5
