Yucong and Eliezer ... Your are definitively right
I fact the tproxy using your method exists on debian squeeze kernel.
That's good
but now i have issue using the tproxy mode.
I have set the network in kernel
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.eth0.send_redirects=0
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects
i have set routing rules mentioned on the wiki pages
routes added
# ip rule add fwmark 1 lookup 100
# ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
# ip route list table 100
local default dev eth0 scope host
#ip rule
0: from all lookup local
32762: from all fwmark 0x1 lookup 100
32763: from all fwmark 0x1 lookup 100
32764: from all fwmark 0x1 lookup 100
32765: from all fwmark 0x1 lookup 100
enabled squid with
http_port 3128 tproxy
http_port 3129
But now i'm unable to go trough internet.
When force browser to pass trough the 3129 port i can browse.
But failed with timed out when define the browser to go directly to
Internet.
I think there is an issue with iptables
On the http://wiki.squid-cache.org/Features/Tproxy4
It is mentioned that if there is timed out, it means that you need to
Check that the /DIVERT/ is done before /TPROXY/ rules in iptables
*PREROUTING* chain
but i have added iptables rules with the "stric order" mentioned and
iptables-save display always :
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip
0.0.0.0 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
You can see that DIVERT is after TPROXY rules.
Perhaps iptables-save command list items sorted rules type...?
Is the issue is the order of iptables rules ? So why adding rules in the
strict order will add always set DIVERT to the end ?
Best regards
Le 02/03/2012 20:16, Yucong Sun (叶雨飞) a écrit :
I think what happens is the document seems to be wrong, the kernel
already has TPROXY compiled in , look for /boot/config-xxxx and
search for TPROXY, it should says "m".
for the iptables rules, you will need to use mangle table, there's no
tproxy table anymore.
as such
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
<proxyport> \
--tproxy-mark 0x1/0x1
on my machine ubuntu 10.04 LTS, Linux fullcenter 2.6.32-37-server
#81-Ubuntu SMP Fri Dec 2 20:49:12 UTC 2011 x86_64 GNU/Linux
I have TPROXY 4.1.0 included, not sure about debian.
[5282830.948528] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
[5282830.948533] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
However, I do want to add an additional question , suppose my proxy
machine will be acting as network gateway to my LAN, can I simply
archive the same effect by simply
-iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT
127.0.0.1:xxxx ??? why was tproxy needed in the first place?
Thanks.
On Fri, Mar 2, 2012 at 9:33 AM, David Touzeau<david@xxxxxxxxxx> wrote:
There is bad news, backports did not change something according Tproxy
Only kernel 3.2x is available on backports repository.
apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae
apt-get install -t squeeze-backports upgrade
reboot
my kernel is now
Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11
14:57:20 UTC 2012 i686 GNU/Linux
iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY
--on-port 80
WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be
ignored in a future release.
iptables v1.4.8: can't initialize iptables table `tproxy': Table does not
exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded
grep -i iptables /boot/config-`uname -r`
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP6_NF_IPTABLES=m
# iptables trigger is under Netfilter config (LED target)
SNIF, SNIF
Le 02/03/2012 17:03, David Touzeau a écrit :
iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 80
