On 08/18/2011 05:50 PM, Amos Jeffries wrote:
On 18/08/11 22:51, Benjamin wrote:
I tested interception in bridge mode with current setup.that is working
fine.but when i configure tproxy , it is not working.Please guide me for
that.
Thanks,
Benjo
Hi,
Any suggestions please.
My Current Network Setup:
WAN ROUTER(114.30.XX.1 --- public ip)
|
|
|
SWITCH
|
|
|
SQUID BOX (114.30.XX.19 gw: 114.30.XX.1) ( bridge mode)
|
|
|
BANDWITH MGMT. LINUX BOX ( 114.30.XX.10 gw: 114.30.XX.1)
|
|
|
END USERS ( mix with private ips and public ips )
at squid box : eth0 ----->internet( cable from switch)
eth1-----> cable connected to BANDWITH MGMT. LINUX BOX)
...
ebtables -t broute --list
Bridge table: broute
Bridge chain: BROUTING, entries: 2, policy: ACCEPT
-p IPv4 -i eth0 --ip-proto tcp --ip-dport 80 -j redirect
-p IPv4 -i eth1 --ip-proto tcp --ip-sport 80 -j redirect
Unless you changed the config between posts that means port 80 traffic
_from_ the Internet is being passed to the proxy. Same for traffic
received _from_ internal web servers.
According to the cabling diagram that should be:
-i eth0 --ip-sport 80
-i eth1 --ip-dport 80
... or plug the cables the other way around.
Alternatively, and at least for testing. Drop the -i NIC parameters
entirely and route everything to or from port 80.
<from earlier in the thread>
iptables -L -nvx -t mangle
Chain PREROUTING (policy ACCEPT 959157 packets, 79545939 bytes)
pkts bytes target prot opt in out source
destination
10993 689414 DIVERT tcp -- * * 0.0.0.0/0
0.0.0.0/0 socket
16765 1000259 TPROXY tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
0x1/0x1
...
OS CENTOS 6 64 bit
squid : 3.1.4
KERNEL : 2.6.32-71.29.1.el6.x86_64
Indeed this shows some packets that should be showing up in Squid
logs. As TCP_DENIED visitors if my assessment of the ebtables rules is
correct. But either way, showing up.
This looks a LOT like the problem Debian Lenny and Ubuntu Lucid have.
They also had kernels from early 2.6.3n numbers. Indeed going back to
my notes (in the wiki):
"2.6.32 to 2.6.34 have bridging issues on some systems. Please use
2.6.30 or 2.6.31 for production machines, they seem to work properly."
I wrote that while monitoring TPROXY related patches going into the
kernel. About the time 2.6.36 came out.
So if you can, 2.6.35 or later should work (the later the better).
Most people working with Debian Squeeze (kernel 2.6.37+) have had no
problems AFAICT. That success should be mirrored in other distros on
the similar kernel versions.
Amos
Hi Amos,
Thanks for your kind response.I am going to try with latest kernel 3.0.3
and update u with final status.
kernel 3.0.3 is ok for tproxy with squid verion 3.1.10 ?
Thanks,
Benjamin
