On 27/11/10 00:53, jiluspo wrote:
Would be posible to run tproxy in single ethernet, same subset of
gateway, squid box, clients(squid box as gateway)?
It could be difficult at best. You cannot rely on any IP-level
networking mechanisms to get the packet handling right.
The ideal TPROXY setup works with two interfaces using TCP socket
numbers and interface MAC address to pass packets around instead of IP
address and port.
I'm trying to run tproxy at lab on ubuntu 10.04, I dont know what else
I've had mixed reports for Ubuntu TPROXY support. The cause of the
failure reports has not been clear.
missing/wrong. squidbox as gateway works fine without tproxy.
This private IPs would be replaced with public IPs in production.
squid box runs as gateway single ethernet.
squidbox:
gateway 192.168.0.254
ip 192.168.0.123
client:
gateway 192.168.0.123
ip 192.168.0.197
root@ubuntu:~# uname -r
2.6.32-25-generic-pae
cat /boot/config-`uname -r` | grep -E
'(NF_CONNTRACK=|TPROXY|XT_MATCH_SOCKET|XT_TARGET_TPROXY)'
CONFIG_NF_CONNTRACK=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
iptables v1.4.4
libcap-dev 1:2.17-2ubuntu1
libcap2 1:2.17-2ubuntu1
sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.lo.rp_filter=0
Some OS has to have these set for "all" interfaces as well as all the
individual ethN. I'm still trying to figure the logic behind that out.
In those cases there also needs to be a table 100 created for the public
interfaces.
/tproxy script:
{{{
#!/bin/sh
ip rule del fwmark 1 lookup 100
ip route del local 0.0.0.0/0 dev lo table 100
If the above lines are doing anything the script is breaking something.
There is a very important MUST when setting TPROXY up that the table
number is not clashing/sharing with any other feature in system.
The "100" here is an arbitrary number you can change as needed.
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
}}}
sysctl.conf:
net.ipv4.ip_forward=1
net.ipv4.conf.lo.rp_filter=0
root@ubuntu:~# squid -v
Squid Cache: Version 3.1.9
configure options: '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid' '--srcdir=.'
'--datadir=${prefix}/share/squid' '--sysconfdir=/etc/squid'
'--enable-async-io' '--with-pthreads' '--enable-storeio=aufs'
'--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp'
'--enable-linux-netfilter' '--with-large-files'
--with-squid=/root/squid-3.1.9
squid.conf has
http_port 3129 tproxy
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3
