Search squid archive

Re: TProxy Setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey There,

You have seem to use the wrong rules in ip route and maybe something else.
I need more for the picture to understand what and how you implemented it.
What I need is the IP and wires topology.
Wccp is not good for you(maybe) but the examples are perfect from any aspect.
Take a peek at:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2

You can take the relevant rules from the article to correct yours.
basically what you need is:
#!/usr/bin/bash

echo "Loading modules.."
modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre gre

LOCALIP="10.80.2.2"

echo "changing routing and reverse path stuff.."
for i in /proc/sys/net/ipv4/conf/*/rp_filter
do
  echo 0 > $i
done
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "creating routing table for tproxy..."
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo "creating iptables tproxy rules..."
iptables -A INPUT  -i lo -j ACCEPT
iptables -A INPUT  -p icmp -m icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT

iptables -t mangle -F
iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
##END OF FILE

The route towards the lo is important to enable the tproxy action.
In your settings I have seen that you have used something else which will probably cause some strange issues.

All The Bests,
Eliezer
On 07/03/2014 03:01 AM, Nyamul Hassan wrote:
Hi,

We are trying to run Squid 3.4.6 with TProxy.  Earlier we used to run
Squid 2.7.Stable9 in "transparent" mode with a DNAT rule on the router
box to redirect traffic.  This being our first jibe at Squid3, we have
successfully configured "intercept" mode with the router doing a
policy-based routing (instead of DNAT).  All works quite well!

However, when we try to do a TProxy configuration, Squid does not seem
to be seeing the traffic at all.  Since Squid3 is working in
"intercept" we assume that is not the problem.  IPTables is configured
as follows:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "TProxy: "
-A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
-A DIVERT -j MARK --set-mark 1
-A DIVERT -j ACCEPT
COMMIT

The Log option shows similar lines as follows (our IP omitted below):
Jul  3 05:15:24 proxy01 kernel: TProxy: IN=eth0 OUT=
MAC=00:22:4d:a7:9a:8c:00:15:17:c8:a0:39:08:00 SRC=<test>
DST=195.93.85.193 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=25176 DF
PROTO=TCP SPT=3264 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

We also tried both with and without the "IP" commands:

ip rule add fwmark 1 lookup 100
ip route add local default dev eth0 table 100

We have searched through Google, mailing lists, Squid Docs, but seems
like we are still missing through something.  One thing though, a lot
of the TProxy examples accompany WCCP or Bridge.  Are either of them
mandatory in TProxy setup?  If not, could someone help us where we are
doing things wrong?

Thanks in advance for youguidance.

Regards
HASSAN






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux