Hello Eliezer, not really, as I don't understand, which IP squid needs to listen to in my squid.conf I have this: # Squid normally listens to port 3128 http_port 127.0.0.1:3128 http_port [::1]:3128 http_port 192.168.1.1:3128 http_port [ipv6prefix::1]:3128 # Transparent Squid listens to port 3129 (IPv4 only) http_port 192.168.1.1:3129 transparent http_port [ipv6prefix::1]:3129 tproxy <-- does it need this? http_port [::1]:3129 tproxy <-- or this? the transparent proxy with ipv4 works ... just had to add the following e.g.iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80 -j DNAT --to-destination 192.168.1.1:3129
with IPv6 it is more complicated ... especially which IP6TABLES rule is meant by Amos question?"I don't see anywhere in that INPUT list where the TPROXY'd traffic is permitted to reach Squid. "
does this mean:e.g. when I want to use TPROXY to IPv6 2a02:1788:2fd::b2ff:5302, I need to add
ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302 --dport 80 -j ACCEPT
? does this really need this two ip -6 ...commands, as I don't know what to add in a file in /etc/sysconfig/network-scripts ...
Thanks, Walter On 12.08.2017 20:23, Eliezer Croitoru wrote:
Any progress with this issue? Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: Walter H. [mailto:walter.h@xxxxxxxxxxxxxxxxx] Sent: Thursday, August 10, 2017 09:19 To: Eliezer Croitoru<eliezer@xxxxxxxxxxxx> Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: RE: IPv6 and TPROXY Hello Eliezer, it is a CentOS 6 box, br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6 prefix might this be a problem? the results of "sysctl -a |grep forward|grep v6": net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.lo.forwarding = 1 net.ipv6.conf.lo.mc_forwarding = 0 net.ipv6.conf.eth0.forwarding = 1 net.ipv6.conf.eth0.mc_forwarding = 0 net.ipv6.conf.eth1.forwarding = 1 net.ipv6.conf.eth1.mc_forwarding = 0 net.ipv6.conf.wlan0.forwarding = 1 net.ipv6.conf.wlan0.mc_forwarding = 0 net.ipv6.conf.br0.forwarding = 1 net.ipv6.conf.br0.mc_forwarding = 0 net.ipv6.conf.sit0.forwarding = 1 net.ipv6.conf.sit0.mc_forwarding = 0 net.ipv6.conf.sit1.forwarding = 1 net.ipv6.conf.sit1.mc_forwarding = 0 Greetings, Walter On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:Hey Walter, I have ran basic tests which are not including direct internet access and it seems like squid is intercepting traffic fine on a CentOS 7. Try to use: ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local default dev lo table 100 ip6tables -t mangle -F ip6tables -t mangle -F DIVERT ip6tables -t mangle -X DIVERT ip6tables -t mangle -N DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --tproxy-mark 0x1/0x1 check the output of: sysctl -a |grep forward|grep v6 Since some of the setup you describe are "unusual" like "br0" I cannot promise you how things will work and if they should work. On a regular linux machine with regular interfaces it works fine. I do get the basic "access denied" page from squid. If this doesn't show up then I belive it's a routing level issue and maybe sysctl will help to reveal couple things about the subject. All The Bests, Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx] Sent: Thursday, August 10, 2017 06:49 To: Eliezer Croitoru<eliezer@xxxxxxxxxxxx> Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: IPv6 and TPROXY Hello Eliezer ip -6 rule is this 0: from all lookup local 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main the two commands where ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local default dev br0 table 100 ip6tables-save is this <BEGIN> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to 84 -m tcp --dport 80 -j DROP -A INPUT -m rt --rt-type 0 -j DROP -A INPUT -m state --state INVALID -j DROP -A INPUT -s fe80::/10 -j ACCEPT -A INPUT -d ff00::/8 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m rt --rt-type 0 -j DROP -A FORWARD -m state --state INVALID -j DROP -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -i br0 -o sit1 -j ACCEPT -A OUTPUT -m rt --rt-type 0 -j DROP -A OUTPUT -m state --state INVALID -j DROP -A OUTPUT -s fe80::/10 -j ACCEPT -A OUTPUT -d ff00::/8 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -A OUTPUT -o sit1 -j ACCEPT COMMIT # Completed on Thu Aug 10 05:26:04 2017 # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017 *mangle :PREROUTING ACCEPT [43:6775] :INPUT ACCEPT [104:10608] :FORWARD ACCEPT [12:2567] :OUTPUT ACCEPT [182:28756] :POSTROUTING ACCEPT [194:31323] :DIVERT - [0:0] -A PREROUTING -i br0 -p tcp -m socket -j DIVERT -A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark 0x1/0xffffffff -A DIVERT -j ACCEPT COMMIT # Completed on Thu Aug 10 05:26:04 2017 <END> Thanks, Walter On 10.08.2017 02:18, Eliezer Croitoru wrote:Can you attach or paste\gist the output of: iptables-save ip6tables-save ip rule ?? It will help to also see the tables which you use in conjunction to the "ip rule" based on the mark. Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Walter H. Sent: Tuesday, August 8, 2017 17:15 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: IPv6 and TPROXY Hello, I did at the ip6tables like this: https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302 --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port 3129 in squid.conf I added http_port ipv6lan:3129 tproxy I added the following also this rule to ip6tables iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129 -m state --state NEW -j ACCEPT when I have tcpdump run, I get this: 16:08:58.452533 IP6 ipv6host.37656> 2a02:1788:2fd::b2ff:5302.80: Flags [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val 1875817945 ecr 0,nop,wscale 5], length 0 16:08:58.452794 IP6 ipv6lan> ipv6host: ICMP6, destination unreachable, unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88 when doing: wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy http://crl.usertrust.com/AddTrustExternalCARoot.crl (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302) what am I missing? Thanks Walter
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
