Search squid archive

Re: IPv6 and TPROXY

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Eliezer

yes, because all my Linux systems are CentOS 6 ...

the router/firewall has a rule

-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 -j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7 -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 -j REJECT

any windows host inside this ipv6prefix has configured a proxy, but for some reason e.g. there is HTTP traffic of CRLs or OCSP
that doesn't go through to the configured proxy, and is blocked ...
for this I need this TPROXY ...
(only IPv6 needs to be solved, IPv4 already runs perfekt)

Thanks,
Walter

On 13.08.2017 15:48, Eliezer Croitoru wrote:
Hey,

Is there a specific reason for the usage of CentOS 6?
Also, do you need full tproxy featres or just to intercept the traffic?

And Amos:
Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible?
Would the usage of:
http://www.squid-cache.org/Doc/config/tcp_outgoing_address/

override the tproxy function?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx



-----Original Message-----
From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx]
Sent: Saturday, August 12, 2017 22:03
To: Eliezer Croitoru<eliezer@xxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  IPv6 and TPROXY

Hello Eliezer,

not really,
as I don't understand, which IP squid needs to listen to

in my squid.conf I have this:

# Squid normally listens to port 3128
http_port 127.0.0.1:3128
http_port [::1]:3128
http_port 192.168.1.1:3128
http_port [ipv6prefix::1]:3128
# Transparent Squid listens to port 3129 (IPv4 only)
http_port 192.168.1.1:3129 transparent
http_port [ipv6prefix::1]:3129 tproxy<-- does it need this?
http_port [::1]:3129 tproxy<-- or this?

the transparent proxy with ipv4 works ...

just had to add the following

e.g.
iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80
-j DNAT --to-destination 192.168.1.1:3129

with IPv6 it is more complicated ...

especially which IP6TABLES rule is meant by Amos question?

"I don't see anywhere in that INPUT list where the TPROXY'd traffic is
permitted to reach Squid. "

does this mean:

e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I
need to add

ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
--dport 80 -j ACCEPT
?

does this really need this two
ip -6 ...
commands, as I don't know what to add in a file in
/etc/sysconfig/network-scripts ...

Thanks,
Walter

On 12.08.2017 20:23, Eliezer Croitoru wrote:



<<attachment: smime.p7s>>

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux