Help! one more time on on Squid3.HEAD(20110307), TPROXY4 and Iptables 1.4.9 + ebtables

Jim Binder <jbinder@xxxxxxxxxxx> · Tue, 15 Mar 2011 00:22:05 -0700

Trying this one more time to see if anyone might know what's wrong in getting my transparent bridging with squid to work. 
Config...  pings work thought the box (the bridge is working however; the 3129 socket never pops with an HTTP request) 

Admin on Eth1, Internet on eth0 and Inside (client) interface on eth2. Br0 used as the bridge.  

Running Fedora core 14 (but went back as fare as 12 and couldn't get it to work) 

Squid Cache: Version 3.HEAD-20110307
configure options:  '--enable-ecap' '--enable-icap-client' '--enable-linux-netfilter' --enable-ltdl-convenience

iptables-1.4.9-1.fc14.i686
kernel-2.6.35.11-83.fc14.i686
ebtables-2.0.9-5.fc13.i686

Went as far to turn on dynamic debug logging and I don't see what's wrong but the connect never seems to get made to the 3129 socket. 

[  214.914113] TRACE: mangle:PREROUTING:rule:2 IN=eth2 OUT= MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3380 DF PROTO=TCP SPT=48255 DPT=80 SEQ=1363486620 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A02522AA80000000001030306) 
[  214.914155] xt_TPROXY: redirecting: proto 6 c0a80158:80 -> 00000000:3129, mark: 1
[  217.920783] TRACE: raw:PREROUTING:policy:3 IN=eth2 OUT= MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3381 DF PROTO=TCP SPT=48255 DPT=80 SEQ=1363486620 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A025236680000000001030306) 
[  217.920846] TRACE: mangle:PREROUTING:rule:2 IN=eth2 OUT= MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3381 DF PROTO=TCP SPT=48255 DPT=80 SEQ=1363486620 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A025236680000000001030306) 
[  217.920891] xt_TPROXY: redirecting: proto 6 c0a80158:80 -> 00000000:3129, mark: 1

[root@fw01 ~]# iptables -t raw -L -v; echo '------'; iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 13966 packets, 5291K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   14   840 TRACE      tcp  --  any    any     anywhere             anywhere            tcp dpt:http 
    4   208 TRACE      tcp  --  any    any     anywhere             anywhere            tcp spt:http 

Chain OUTPUT (policy ACCEPT 11445 packets, 5781K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TRACE      tcp  --  any    any     anywhere             anywhere            tcp dpt:http 
    0     0 TRACE      tcp  --  any    any     anywhere             anywhere            tcp spt:http 
------
Chain PREROUTING (policy ACCEPT 3843 packets, 4678K bytes)
 pkts bytes target     prot opt in     out     source               destination         
10086  586K DIVERT     tcp  --  any    any     anywhere             anywhere            socket 
   14   840 TPROXY     tcp  --  any    any     anywhere             anywhere            tcp dpt:http TPROXY redirect 0.0.0.0:3129 mark 0x1/0xffffffff

Chain INPUT (policy ACCEPT 10284 packets, 622K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 19 packets, 25784 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 11443 packets, 5780K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 11483 packets, 5810K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DIVERT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
10086  586K MARK       all  --  any    any     anywhere             anywhere            MARK set 0x1 
10086  586K ACCEPT     all  --  any    any     anywhere             anywhere            
[root@fw01 ~]# 

[root@fw01 ~]# ebtables -t broute -L --Lc
Bridge table: broute

Bridge chain: BROUTING, entries: 2, policy: ACCEPT
-p IPv4 -i eth2 --ip-proto tcp --ip-dport 80 -j redirect  --redirect-target DROP, pcnt = 19 -- bcnt = 1140
-p IPv4 -i eth0 --ip-proto tcp --ip-sport 80 -j redirect  --redirect-target DROP, pcnt = 0 -- bcnt = 0

2011/03/14 23:59:02.029 kid1| The AsyncCall clientListenerConnectionOpened constructed, this=0x9115470 [call8]
2011/03/14 23:59:02.029 kid1| comm_openex: Attempt open socket for: [::]:3128
2011/03/14 23:59:02.029 kid1| comm_openex: Opened socket FD 15 : family=10, type=1, protocol=6
2011/03/14 23:59:02.030 kid1| StartListening.cc(52) will call clientListenerConnectionOpened(FD 15, err=0, port=0x8e993b8) [call8]
2011/03/14 23:59:02.030 kid1| The AsyncCall clientListenerConnectionOpened constructed, this=0x9115558 [call10]
2011/03/14 23:59:02.030 kid1| comm_openex: Attempt open socket for: 0.0.0.0:3129
2011/03/14 23:59:02.030 kid1| comm_openex: Opened socket FD 16 : family=2, type=1, protocol=6
2011/03/14 23:59:02.030 kid1| comm: com_set_transparent() port mode for addr:'0.0.0.0:3129'.
2011/03/14 23:59:02.030 kid1| comm_open: set (IP_TRANSPARENT) on FD 16
2011/03/14 23:59:02.030 kid1| StartListening.cc(52) will call clientListenerConnectionOpened(FD 16, err=0, port=0x8e99440) [call10]
2011/03/14 23:59:02.030 kid1| HTCP Disabled.
2011/03/14 23:59:02.030 kid1| Squid plugin modules loaded: 0
2011/03/14 23:59:02.030 kid1| Adaptation support is off.
2011/03/14 23:59:02.030 kid1| Config.cc(134) FinalizeEach: Initialized 0 message adaptation services
2011/03/14 23:59:02.030 kid1| Config.cc(134) FinalizeEach: Initialized 0 message adaptation service groups
2011/03/14 23:59:02.030 kid1| Config.cc(134) FinalizeEach: Initialized 0 message adaptation access rules
2011/03/14 23:59:02.030 kid1| Ready to serve requests.
2011/03/14 23:59:02.031 kid1| entering clientListenerConnectionOpened(FD 15, err=0, port=0x8e993b8)
2011/03/14 23:59:02.031 kid1| AsyncCall.cc(32) make: make call clientListenerConnectionOpened [call8]
2011/03/14 23:59:02.031 kid1| AcceptingHTTP Socket connections at  FD 15 on [::]:3128
2011/03/14 23:59:02.031 kid1| leaving clientListenerConnectionOpened(FD 15, err=0, port=0x8e993b8)
2011/03/14 23:59:02.031 kid1| entering clientListenerConnectionOpened(FD 16, err=0, port=0x8e99440)
2011/03/14 23:59:02.031 kid1| AsyncCall.cc(32) make: make call clientListenerConnectionOpened [call10]
2011/03/14 23:59:02.031 kid1| Accepting spoofingHTTP Socket connections at  FD 16 on 0.0.0.0:3129
2011/03/14 23:59:02.031 kid1| leaving clientListenerConnectionOpened(FD 16, err=0, port=0x8e99440)
2011/03/14 23:59:02.689 kid1| logfile_mod_daemon_append: daemon:/usr/local/squid/var/logs/access.log: appending 2 bytes
2011/03/14 23:59:02.689 kid1| logfile_mod_daemon_append: current buffer has 7 of 32768 bytes before append
2011/03/14 23:59:02.689 kid1| logfileHandleWrite: daemon:/usr/local/squid/var/logs/access.log: write returned 9
2011/03/14 23:59:02.689 kid1| storeLateRelease: released 0 objects

[root@fw01 ~]# 
[root@fw01 ~]# ip route list table all 
local default dev lo  table 100  scope host 
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.78 
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.66 
169.254.0.0/16 dev eth1  scope link  metric 1003 
default via 192.168.1.254 dev br0 
local 192.168.1.66 dev br0  table local  proto kernel  scope host  src 192.168.1.66 
broadcast 192.168.1.0 dev eth1  table local  proto kernel  scope link  src 192.168.1.78 
broadcast 192.168.1.0 dev br0  table local  proto kernel  scope link  src 192.168.1.66 
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
broadcast 192.168.1.255 dev eth1  table local  proto kernel  scope link  src 192.168.1.78 
broadcast 192.168.1.255 dev br0  table local  proto kernel  scope link  src 192.168.1.66 
local 192.168.1.78 dev eth1  table local  proto kernel  scope host  src 192.168.1.78 
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
unreachable ::/96 dev lo  metric 1024  error -101 mtu 16436 advmss 16376 hoplimit 0
unreachable ::ffff:0.0.0.0/96 dev lo  metric 1024  error -101 mtu 16436 advmss 16376 hoplimit 0
unreachable 2002:a00::/24 dev lo  metric 1024  error -101 mtu 16436 advmss 16376 hoplimit 0
unreachable 2002:7f00::/24 dev lo  metric 1024  error -101 mtu 16436 advmss 16376 hoplimit 0
unreachable 2002:a9fe::/32 dev lo  metric 1024  error -101 mtu 16436 advmss 16376 hoplimit 0
unreachable 2002:ac10::/28 dev lo  metric 1024  error -101 mtu 16436 advmss 16376 hoplimit 0
unreachable 2002:c0a8::/32 dev lo  metric 1024  error -101 mtu 16436 advmss 16376 hoplimit 0
unreachable 2002:e000::/19 dev lo  metric 1024  error -101 mtu 16436 advmss 16376 hoplimit 0
unreachable 3ffe:ffff::/32 dev lo  metric 1024  error -101 mtu 16436 advmss 16376 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev br0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101 hoplimit 255
local ::1 via :: dev lo  table local  proto none  metric 0  mtu 16436 advmss 16376 hoplimit 0
local fe80::207:e9ff:fee5:ac7a via :: dev lo  table local  proto none  metric 0  mtu 16436 advmss 16376 hoplimit 0
local fe80::240:f4ff:fecd:170 via :: dev lo  table local  proto none  metric 0  mtu 16436 advmss 16376 hoplimit 0
local fe80::240:f4ff:fecd:170 via :: dev lo  table local  proto none  metric 0  mtu 16436 advmss 16376 hoplimit 0
local fe80::2a0:c9ff:fe08:4c26 via :: dev lo  table local  proto none  metric 0  mtu 16436 advmss 16376 hoplimit 0
ff00::/8 dev eth1  table local  metric 256  mtu 1500 advmss 1440 hoplimit 0
ff00::/8 dev eth2  table local  metric 256  mtu 1500 advmss 1440 hoplimit 0
ff00::/8 dev eth0  table local  metric 256  mtu 1500 advmss 1440 hoplimit 0
ff00::/8 dev br0  table local  metric 256  mtu 1500 advmss 1440 hoplimit 0
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101 hoplimit 255
[root@fw01 ~]# ip rule list 
0:	from all lookup local 
32763:	from all fwmark 0x1 iif eth2 lookup 100 
32764:	from all fwmark 0x1 iif eth0 lookup 100 
32765:	from all fwmark 0x1 iif lo lookup 100 
32766:	from all lookup main 
32767:	from all lookup default 

[root@fw01 ~]# cat /proc/sys/net/bridge/*
0
0
0
0
0

[root@fw01 ~]# cat /proc/sys/net/ipv4/ip_forward 
1
[root@fw01 ~]# cat /proc/sys/net/ipv4/conf/all/rp_filter 
0

Lastly -- the script I used to do the config. 

#!/bin/bash

set -x 

CLIENT_IFACE=eth2
INET_IFACE=eth0

ifconfig $CLIENT_IFACE down
ifconfig $INET_IFACE down
ifconfig $CLIENT_IFACE 0.0.0.0 up
ifconfig $INET_IFACE 0.0.0.0 up

ifconfig br0 down 
brctl delbr br0 

brctl addbr br0
brctl addif br0 $CLIENT_IFACE
brctl addif br0 $INET_IFACE
brctl stp   br0 on
# ifconfig br0 up 

dhclient br0

#ip route flush table 100
#ip rule add fwmark 1 lookup 100
#ip route add local 0.0.0.0/0 dev lo table 100
#echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
#echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
#echo 1 > /proc/sys/net/ipv4/ip_forward

ip rule del dev lo fwmark 1 lookup 100
ip rule del dev eth0 fwmark 1 lookup 100
ip rule del dev eth2 fwmark 1 lookup 100

ip rule add dev lo fwmark 1 lookup 100
ip rule add dev eth0 fwmark 1 lookup 100
ip rule add dev eth2 fwmark 1 lookup 100

ip route del local 0.0.0.0/0 dev lo table 100
ip route add local 0.0.0.0/0 dev lo table 100

ip route flush cache 

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

iptables -t filter -F 

iptables -t raw -F 
iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE
iptables -t raw -A OUTPUT -p tcp --dport 80 -j TRACE

iptables -t raw -A PREROUTING -p tcp --sport 80 -j TRACE
iptables -t raw -A OUTPUT -p tcp --sport 80 -j TRACE

#iptables-restore < /root/squid-iptables-tproxy.save
iptables -t mangle -F 
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 1 --on-port 3129 

modprobe ipt_LOG

#ebtables-restore < /root/squid-ebtables-tproxy.save
ebtables -t broute -F 
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $INET_IFACE -p IPv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP

# turn off filtering of bridged traffic in the forward stage of iptables
#
cd /proc/sys/net/bridge/
for i in *
do
echo 0 > $i
done
unset i

James S. Binder
Vice President, Engineering
Cyphort Inc.,

jbinder@xxxxxxxxxxx
408.761.1403 (cell)

This information contained in this e-mail message and any attachments thereto, is intended only for the personal and confidential use of the recipient(s) named above. This message may be under the terms of a Mutual Non-Disclosure Agreement communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify use immediately by e-mail and delete this original message. 