Search squid archive

Re: tproxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27/11/10 00:53, jiluspo wrote:
Would be posible to run tproxy in single ethernet, same subset of
gateway, squid box, clients(squid box as gateway)?

It could be difficult at best. You cannot rely on any IP-level networking mechanisms to get the packet handling right.

The ideal TPROXY setup works with two interfaces using TCP socket numbers and interface MAC address to pass packets around instead of IP address and port.

I'm trying to run tproxy at lab on ubuntu 10.04, I dont know what else

I've had mixed reports for Ubuntu TPROXY support. The cause of the failure reports has not been clear.

missing/wrong. squidbox as gateway works fine without tproxy.
This private IPs would be replaced with public IPs in production.

squid box runs as gateway single ethernet.
squidbox:
gateway 192.168.0.254
ip 192.168.0.123

client:
gateway 192.168.0.123
ip 192.168.0.197

root@ubuntu:~# uname -r
2.6.32-25-generic-pae

cat /boot/config-`uname -r` | grep -E
'(NF_CONNTRACK=|TPROXY|XT_MATCH_SOCKET|XT_TARGET_TPROXY)'
CONFIG_NF_CONNTRACK=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m

iptables v1.4.4

libcap-dev 1:2.17-2ubuntu1
libcap2 1:2.17-2ubuntu1

sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.lo.rp_filter=0

Some OS has to have these set for "all" interfaces as well as all the individual ethN. I'm still trying to figure the logic behind that out.

In those cases there also needs to be a table 100 created for the public interfaces.


/tproxy script:
{{{
#!/bin/sh
ip rule del fwmark 1 lookup 100
ip route del local 0.0.0.0/0 dev lo table 100

If the above lines are doing anything the script is breaking something.
There is a very important MUST when setting TPROXY up that the table number is not clashing/sharing with any other feature in system.
The "100" here is an arbitrary number you can change as needed.

iptables -F
iptables -F -t mangle
iptables -F -t nat

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
}}}

sysctl.conf:
net.ipv4.ip_forward=1
net.ipv4.conf.lo.rp_filter=0

root@ubuntu:~# squid -v
Squid Cache: Version 3.1.9
configure options: '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid' '--srcdir=.'
'--datadir=${prefix}/share/squid' '--sysconfdir=/etc/squid'
'--enable-async-io' '--with-pthreads' '--enable-storeio=aufs'
'--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp'
'--enable-linux-netfilter' '--with-large-files'
--with-squid=/root/squid-3.1.9

squid.conf has
http_port 3129 tproxy





--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux