Hello Eliezer yes, because all my Linux systems are CentOS 6 ... the router/firewall has a rule-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 -j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7 -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 -j REJECT
any windows host inside this ipv6prefix has configured a proxy, but for some reason e.g. there is HTTP traffic of CRLs or OCSP
that doesn't go through to the configured proxy, and is blocked ... for this I need this TPROXY ... (only IPv6 needs to be solved, IPv4 already runs perfekt) Thanks, Walter On 13.08.2017 15:48, Eliezer Croitoru wrote:
Hey, Is there a specific reason for the usage of CentOS 6? Also, do you need full tproxy featres or just to intercept the traffic? And Amos: Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible? Would the usage of: http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ override the tproxy function? Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx] Sent: Saturday, August 12, 2017 22:03 To: Eliezer Croitoru<eliezer@xxxxxxxxxxxx> Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: IPv6 and TPROXY Hello Eliezer, not really, as I don't understand, which IP squid needs to listen to in my squid.conf I have this: # Squid normally listens to port 3128 http_port 127.0.0.1:3128 http_port [::1]:3128 http_port 192.168.1.1:3128 http_port [ipv6prefix::1]:3128 # Transparent Squid listens to port 3129 (IPv4 only) http_port 192.168.1.1:3129 transparent http_port [ipv6prefix::1]:3129 tproxy<-- does it need this? http_port [::1]:3129 tproxy<-- or this? the transparent proxy with ipv4 works ... just had to add the following e.g. iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80 -j DNAT --to-destination 192.168.1.1:3129 with IPv6 it is more complicated ... especially which IP6TABLES rule is meant by Amos question? "I don't see anywhere in that INPUT list where the TPROXY'd traffic is permitted to reach Squid. " does this mean: e.g. when I want to use TPROXY to IPv6 2a02:1788:2fd::b2ff:5302, I need to add ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302 --dport 80 -j ACCEPT ? does this really need this two ip -6 ... commands, as I don't know what to add in a file in /etc/sysconfig/network-scripts ... Thanks, Walter On 12.08.2017 20:23, Eliezer Croitoru wrote:
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
