I've made a LOT of progress with that. The only problem that I'm having now is making sure that the traffic that is coming from squid BACK through the same router doesn't get tagged and sent back to the proxy (causing a loop). I've tried doing different taggings based on interface, but this doesn’t seem to help at all... I also would have thought that added a " iptables -t mangle -A PREROUTING -s 10.0.1.1 -j ACCEPT" to the router would stop this from happening, but it doesn't look like the traffic from Squid -> Internet web server is using 10.0.1.1, for some reason. Proxy ------------ ip -f inet rule add fwmark 1 lookup 100 ip -f inet route add local default dev lo table 100 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 root@proxy01:~# ip route list default via 10.0.1.254 dev eth0 10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.1 root@proxy01:~# ip route list table 100 local default dev lo scope host Router ------------ ip -f inet rule add fwmark 1 lookup 100 ip -f inet route add default via 10.0.1.1 table 100 ip -f inet rule add fwmark 2 lookup 101 ip -f inet route add default via 10.1.17.254 table 101 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -N FROMPROXY iptables -t mangle -A FROMPROXY -j MARK --set-mark 2 iptables -t mangle -A FROMPROXY -j ACCEPT iptables -t mangle -A PREROUTING -i eth5 -d 10.0.0.0/8 -j ACCEPT iptables -t mangle -A PREROUTING -i eth5 -d 192.168.0.0/16 -j ACCEPT iptables -t mangle -A PREROUTING -i eth5 -j FROMPROXY iptables -t mangle -A PREROUTING -s 10.0.1.1 -j ACCEPT iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j DIVERT root@fw:~# ip route list table 100 default via 10.0.1.1 dev eth5 10.0.1.0/24 dev eth5 scope link root@fw:~# ip route list table 101 default via 10.1.17.254 dev eth0 10.1.17.0/24 dev eth0 scope link root@fw:~# ip route list default via 10.1.17.254 dev eth0 10.0.1.0/24 dev eth5 proto kernel scope link src 10.0.1.254 10.1.1.0/24 via 10.100.1.22 dev eth2 metric 110 10.1.17.0/24 dev eth0 proto kernel scope link src 10.1.17.158 -- Thomas York -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Tuesday, May 29, 2012 8:00 PM To: squid-users@xxxxxxxxxxxxxxx Subject: RE: Linux + TPROXY + Remote Squid On 30.05.2012 01:49, Thomas York wrote: > Is any more information needed? > > -- Thomas York > > -----Original Message----- > From: Thomas York > Sent: Friday, May 25, 2012 1:37 PM > > I forgot one detail. I have an iptables rule BEFORE the PREROUTING > divert/tproxy iptables rules on the router. I added an accept so that > HTTP traffic from the proxy doesn't get tagged and rerouted to the > proxy. > > Here's the rule set I have for the firewall > > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle > -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -s 10.0.1.1 -j > ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY > --tproxy-mark > 0x1/0x1 --on-port 3129 With Squid listening on localhost port 3129 to receive the packets sent to 0.0.0.0:3129 and [::]:3129 ? When the router is a different box to the Squid you should do all this with plain old routing and marking/tagging (no TPROXY) on the router. > -----Original Message----- > From: Thomas York > Sent: Friday, May 25, 2012 1:32 PM > > No. The router has three interfaces. One goes to the internet and has > a > default route. I am running NAT on this interface so that the > firewall, > proxy > and clients can reach the internet. The second is a single /24 > network > (10.0.1.0/24) that has only the proxy and the firewall on it. The > third is a > > single /24 (10.1.1.0/24) that has a single Windows 7 client on it for > generating HTTP requests and testing. I'm tagging the packets on the > firewall > and running them through a separate routing table, which sends the > packets > to > the proxy (without NAT-ing). The proxy and the firewall see the > routed > packets > perfectly fine. I'm not doing any kind of iptables rules on the > proxy, > however. This is the problem. TPROXY rules are iptables rules supposed to be on the proxy machine *only*. Outside that proxy box all packets have client and Internet destination IP addresses and get routed. NIC flow in/out or MAC address is best to identify which stage of the flow the packets are at and how to tag/handle them in the routers. It may require several tags at the router; for packets direct from client or Internet, and packets already been via Squid/proxy box. OR just routing based on NIC received... ie, Router config logic: if in NIC (from client) tag for routing and send to Squid box as gateway if in NIC (from Internet) tag for routing and send to Squid box as gateway if in NIC (from Squid) handle as if Squid did not exist: send to normal IP destination on packet Amos
<<attachment: smime.p7s>>
