Try to change the ip rule instead of br0 to lo and see if it changes anything. Also remove any iptables rules and try to access a public ipv6 only address. Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: Walter H. [mailto:walter.h@xxxxxxxxxxxxxxxxx] Sent: Thursday, August 10, 2017 09:19 To: Eliezer Croitoru <eliezer@xxxxxxxxxxxx> Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: RE: IPv6 and TPROXY Hello Eliezer, it is a CentOS 6 box, br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6 prefix might this be a problem? the results of "sysctl -a |grep forward|grep v6": net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.lo.forwarding = 1 net.ipv6.conf.lo.mc_forwarding = 0 net.ipv6.conf.eth0.forwarding = 1 net.ipv6.conf.eth0.mc_forwarding = 0 net.ipv6.conf.eth1.forwarding = 1 net.ipv6.conf.eth1.mc_forwarding = 0 net.ipv6.conf.wlan0.forwarding = 1 net.ipv6.conf.wlan0.mc_forwarding = 0 net.ipv6.conf.br0.forwarding = 1 net.ipv6.conf.br0.mc_forwarding = 0 net.ipv6.conf.sit0.forwarding = 1 net.ipv6.conf.sit0.mc_forwarding = 0 net.ipv6.conf.sit1.forwarding = 1 net.ipv6.conf.sit1.mc_forwarding = 0 Greetings, Walter On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote: > Hey Walter, > > I have ran basic tests which are not including direct internet access > and it seems like squid is intercepting traffic fine on a CentOS 7. > Try to use: > ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local > default dev lo table 100 > > ip6tables -t mangle -F > ip6tables -t mangle -F DIVERT > ip6tables -t mangle -X DIVERT > ip6tables -t mangle -N DIVERT > ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff > ip6tables -t mangle -A DIVERT -j ACCEPT > > ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT ip6tables > -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j TPROXY > --on-port 3129 --tproxy-mark 0x1/0x1 > > check the output of: > sysctl -a |grep forward|grep v6 > > Since some of the setup you describe are "unusual" like "br0" I cannot > promise you how things will work and if they should work. > On a regular linux machine with regular interfaces it works fine. > I do get the basic "access denied" page from squid. > If this doesn't show up then I belive it's a routing level issue and > maybe sysctl will help to reveal couple things about the subject. > > All The Bests, > Eliezer > > ---- > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: eliezer@xxxxxxxxxxxx > > > > -----Original Message----- > From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx] > Sent: Thursday, August 10, 2017 06:49 > To: Eliezer Croitoru <eliezer@xxxxxxxxxxxx> > Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: IPv6 and TPROXY > > Hello Eliezer > > ip -6 rule is this > > 0: from all lookup local > 32765: from all fwmark 0x1 lookup 100 > 32766: from all lookup main > > the two commands where > > ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local > default dev br0 table 100 > > ip6tables-save is this > <BEGIN> > > # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017 > *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A > INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT > -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to > 84 -m tcp --dport 80 -j DROP -A INPUT -m rt --rt-type 0 -j DROP -A > INPUT -m state --state INVALID -j DROP -A INPUT -s fe80::/10 -j ACCEPT > -A INPUT -d ff00::/8 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i > br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s > 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT -A INPUT -d > 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state > --state NEW -j ACCEPT -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p > tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT -A FORWARD -i > sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD > -m rt --rt-type 0 -j DROP -A FORWARD -m state --state INVALID -j DROP > -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -i br0 -o sit1 -j ACCEPT > -A OUTPUT -m rt --rt-type 0 -j DROP -A OUTPUT -m state --state INVALID > -j DROP -A OUTPUT -s fe80::/10 -j ACCEPT -A OUTPUT -d ff00::/8 -j > ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -A OUTPUT > -o sit1 -j ACCEPT COMMIT # Completed on Thu Aug 10 05:26:04 2017 # > Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017 *mangle > :PREROUTING ACCEPT [43:6775] :INPUT ACCEPT [104:10608] :FORWARD ACCEPT > [12:2567] :OUTPUT ACCEPT [182:28756] :POSTROUTING ACCEPT [194:31323] > :DIVERT - [0:0] -A PREROUTING -i br0 -p tcp -m socket -j DIVERT -A > PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp > --dport > 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark > 0x1/0x1 > -A DIVERT -j MARK --set-xmark 0x1/0xffffffff -A DIVERT -j ACCEPT > COMMIT # Completed on Thu Aug 10 05:26:04 2017 > > <END> > > Thanks, > Walter > > On 10.08.2017 02:18, Eliezer Croitoru wrote: >> Can you attach or paste\gist the output of: >> iptables-save >> ip6tables-save >> ip rule >> ?? >> It will help to also see the tables which you use in conjunction to >> the "ip rule" based on the mark. >> >> Eliezer >> >> ---- >> Eliezer Croitoru >> Linux System Administrator >> Mobile: +972-5-28704261 >> Email: eliezer@xxxxxxxxxxxx >> >> >> -----Original Message----- >> From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] >> On Behalf Of Walter H. >> Sent: Tuesday, August 8, 2017 17:15 >> To: squid-users@xxxxxxxxxxxxxxxxxxxxx >> Subject: IPv6 and TPROXY >> >> Hello, >> >> I did at the ip6tables like this: >> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_de >> vice >> >> iptables -t mangle -N DIVERT >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle >> -A DIVERT -j ACCEPT >> >> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT >> >> iptables -t mangle -A PREROUTING -i br0 -p tcp -d >> 2a02:1788:2fd::b2ff:5302 >> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port >> 3129 >> >> in squid.conf I added >> >> http_port ipv6lan:3129 tproxy >> >> I added the following also this rule to ip6tables >> >> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport >> 3129 -m state --state NEW -j ACCEPT >> >> when I have tcpdump run, I get this: >> >> 16:08:58.452533 IP6 ipv6host.37656> 2a02:1788:2fd::b2ff:5302.80: >> Flags [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val >> 1875817945 >> ecr 0,nop,wscale 5], length 0 >> 16:08:58.452794 IP6 ipv6lan> ipv6host: ICMP6, destination >> unreachable, unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, >> length 88 >> >> when doing: >> >> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy >> http://crl.usertrust.com/AddTrustExternalCARoot.crl >> >> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302) >> >> what am I missing? >> >> Thanks >> Walter > > > > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users