Would be posible to run tproxy in single ethernet, same subset of gateway,
squid box, clients(squid box as gateway)?
I'm trying to run tproxy at lab on ubuntu 10.04, I dont know what else
missing/wrong. squidbox as gateway works fine without tproxy.
This private IPs would be replaced with public IPs in production.
squid box runs as gateway single ethernet.
squidbox:
gateway 192.168.0.254
ip 192.168.0.123
client:
gateway 192.168.0.123
ip 192.168.0.197
root@ubuntu:~# uname -r
2.6.32-25-generic-pae
cat /boot/config-`uname -r` | grep -E
'(NF_CONNTRACK=|TPROXY|XT_MATCH_SOCKET|XT_TARGET_TPROXY)'
CONFIG_NF_CONNTRACK=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
iptables v1.4.4
libcap-dev 1:2.17-2ubuntu1
libcap2 1:2.17-2ubuntu1
sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.lo.rp_filter=0
/tproxy script:
{{{
#!/bin/sh
ip rule del fwmark 1 lookup 100
ip route del local 0.0.0.0/0 dev lo table 100
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
}}}
sysctl.conf:
net.ipv4.ip_forward=1
net.ipv4.conf.lo.rp_filter=0
root@ubuntu:~# squid -v
Squid Cache: Version 3.1.9
configure options: '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid' '--srcdir=.'
'--datadir=${prefix}/share/squid' '--sysconfdir=/etc/squid'
'--enable-async-io' '--with-pthreads' '--enable-storeio=aufs'
'--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp'
'--enable-linux-netfilter'
'--with-large-files' --with-squid=/root/squid-3.1.9
squid.conf has
http_port 3129 tproxy
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.