Re: yahoo mail problem with tproxy (squid 3.1.19, kernel 3.2.21)

Ming-Ching Tiew <mctiew@xxxxxxxxx> · Fri, 20 Jul 2012 17:15:24 -0700 (PDT)

----- Original Message -----
>From: Ming-Ching Tiew <mctiew@xxxxxxxxx>
>
> rc.local attached.
>

Attachment rejected so re-post inline below :-

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 192.168.1.253 up
ip route add default via 192.168.1.1

MODE=tproxy
if [ "$MODE" = "tproxy" ]
then
  ebtables -t broute -F BROUTING 
  ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-protocol tcp \
  --ip-destination-port 80 -j redirect --redirect-target DROP
  ebtables -t broute -A BROUTING -i eth1 -p ipv4  --ip-protocol tcp \
  --ip-source-port 80 -j redirect --redirect-target DROP
  ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-protocol tcp \
  --ip-destination-port 80 -j redirect --redirect-target DROP
  ebtables -t broute -A BROUTING -i eth0 -p ipv4  --ip-protocol tcp \
  --ip-source-port 80 -j redirect --redirect-target DROP
  cd /proc/sys/net/bridge
  for i in *
  do
   echo 0 > $i
  done

  iptables -t mangle -F
  iptables -t nat -F
  iptables -t mangle -F PREROUTING
  iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
  iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
   --tproxy-mark 0x1/0x1 --on-port 3129

  iptables -t mangle -A DIVERT -j MARK --set-mark 1
  iptables -t mangle -A DIVERT -j ACCEPT
  ip rule delete fwmark 1/1 lookup 150 2>/dev/null
  ip rule add fwmark 1/1 lookup 150
  ip route flush table 150
  ip route add local 0.0.0.0/0 dev lo table 150
  for i in /proc/sys/net/ipv4/conf/*/rp_filter
  do
    echo 0 > $i
  done
  sed -i -e 's/http_port 3129.*/http_port 3129 tproxy/' /etc/squid/squid.conf
else
  # intercepting nat MODE
  ebtables -t broute -F
  ebtables -t broute -A BROUTING -p ipv4 --ip-protocol tcp --ip-source-port 80 \
    -j redirect --redirect-target ACCEPT
  iptables -t nat -F 
  iptables -t mangle -F
  iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3129 
  sed -i -e 's/http_port 3129.*/http_port 3129 intercept/' /etc/squid/squid.conf
fi
# Default Fedora DVD installation has rules which must be deleted
iptables -D INPUT   -j REJECT --reject-with icmp-host-prohibited
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
echo 1 > /proc/sys/net/ipv4/ip_forward