Re: tproxy configuration

On 22/02/2013 11:03 a.m., Roman Gelfand wrote:
  Please, find below the network topology, squid.conf and rc.local
configuration files.  It appears that the squid is not routing the
http requests.  I am not sure what I am doing wrong here
Please note, the same squid.conf works on transparent proxy (non
tproxy), for the exception of tproxy keyword and service changes.
Thanks in advance,

               wccp/gre tunnel              ||
squid==============================Fortigate FW/RT  Int ip 1
3.3                                        ||       Int ip 2
ip:                           ||       Ext ip XX.XX.XXX.24
                                       WLAN Router  Int. ip  Ext. ip
                                Client Workstation

#!/bin/sh -e
# rc.local
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# bits.
# By default this script does nothing.
# GRE Tunnel :
echo "Loading modules.."
modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre

echo "changing routing and reverse path stuff.."
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter

What about rp_filter on eth0 where the traffic is actually exiting the Squid box?

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "creating tunnel..."
iptunnel add wccp0 mode gre remote $FORTIIPID local $LOCALIP dev eth0
ifconfig wccp0 up
echo "creating routing table for tproxy..."
ip rule add fwmark 1 lookup 100
ip route add local dev lo table 100

You may need this to be dev eth0 instead of dev lo. Experiment to find out which.

echo "creating iptables tproxy rules..."
iptables -A INPUT  -i lo -j ACCEPT
iptables -A INPUT  -p icmp -m icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT

What about forwarding of non-localhost traffic? such as the TPROXY spoofed client IPs.

iptables -A INPUT  -s $FORTIDIRIP -p udp -m udp --dport 2048 -j ACCEPT
iptables -A INPUT -i wccp0 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -t mangle -F
iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3228
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3229
exit 0

#debug_options ALL,1 33,2
#debug_options ALL,1 33,2 28,9
hierarchy_stoplist cgi-bin
acl QUERY urlpath_regex cgi-bin
#cache_effective_user squid
shutdown_lifetime 1 second
visible_hostname server
httpd_suppress_version_string on
forwarded_for off
#1GB disk cache
cache_dir ufs /usr/local/var/cache/squid 1024 16 256

maximum_object_size 5 MB
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
request_header_access Referer deny all
reply_header_access Referer deny all
http_port 80 accel
acl site1 dstdomain
acl site2 dstdomain
acl site3 dstdomain
acl site4 dstdomain
acl site5 dstdomain
acl site6 dstdomain
acl site7 dstdomain
https_port 443 cert=/etc/ssl/certs/domain_sites.crt
key=/etc/ssl/private/domain.key accel vport
# never_direct allow site1
always_direct allow site1
http_access allow site1
http_access deny site1
always_direct allow site2
http_access allow site2
http_access deny site2
always_direct allow site3
http_access allow site3
http_access deny site3
always_direct allow site4
http_access allow site4
http_access deny site4
always_direct allow site5
http_access allow site5
http_access deny site5
always_direct allow site6
http_access allow site6
http_access deny site6
always_direct allow site7
http_access allow site7
http_access deny site7
# Recommended minimum configuration:
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src # RFC1918 possible internal network
acl localnet src # RFC1918 possible internal network
acl localnet src # RFC1918 possible internal network
acl localnet src {WAN Network} # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl SSL_ports port 4435
acl SSL_ports port 8443
acl Safe_ports port 80  # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443  # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl pictures url_regex -i .*\.jpg$
http_access allow pictures
# Recommended minimum Access Permission configuration:
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3228 tproxy
https_port 3229 tproxy ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt
always_direct allow all
ssl_bump server-first all
#ssl_bump allow all
# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/libexec/ssl_crtd -s
/usr/local/var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service_failure_limit -1
icap_service_revival_delay 30
icap_service qlproxy1 reqmod_precache bypass=0 icap://
icap_service qlproxy2 respmod_precache bypass=0 icap://
icap_service squidclamav1 reqmod_precache bypass=0
icap_service squidclamav2 respmod_precache bypass=0
adaptation_service_chain svcRequest squidclamav1 qlproxy1
adaptation_service_chain svcResponse squidclamav2 qlproxy2
adaptation_access svcRequest allow all
adaptation_access svcResponse allow all
# FortiGate interface of wccp
# wccp version 2 configuration for standard service HTTP on tcp port
80 (service 0) with authentication password 'fortinet'
wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=240 ports=80,443
wccp2_service dynamic 95
wccp2_service_info 95 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80,443
# tunneling method GRE for forward traffic
wccp2_forwarding_method 1
# tunneling method GRE for return traffic
wccp2_return_method 1
# Assignemment method (default), only relevant if multiple caches used
wccp2_assignment_method 1
# wccp weight (default) ,only relevant if multiple caches used
wccp2_weight 10000
# which interface to use for WCCP ( determines the interface
from routing)

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/var/cache/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:  1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .  0 20% 4320

