Search squid archive

Re: IPv6 and TPROXY

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Any progress with the issue?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx



-----Original Message-----
From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx] 
Sent: Sunday, August 13, 2017 21:31
To: Eliezer Croitoru <eliezer@xxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  IPv6 and TPROXY

Hello Eliezer

yes, because all my Linux systems are CentOS 6 ...

the router/firewall has a rule

-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 
-j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 
-j REJECT

any windows host inside this ipv6prefix has configured a proxy, but for 
some reason e.g. there is HTTP traffic of CRLs or OCSP
that doesn't go through to the configured proxy, and is blocked ...
for this I need this TPROXY ...
(only IPv6 needs to be solved, IPv4 already runs perfekt)

Thanks,
Walter

On 13.08.2017 15:48, Eliezer Croitoru wrote:
> Hey,
>
> Is there a specific reason for the usage of CentOS 6?
> Also, do you need full tproxy featres or just to intercept the traffic?
>
> And Amos:
> Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible?
> Would the usage of:
> http://www.squid-cache.org/Doc/config/tcp_outgoing_address/
>
> override the tproxy function?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer@xxxxxxxxxxxx
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx]
> Sent: Saturday, August 12, 2017 22:03
> To: Eliezer Croitoru<eliezer@xxxxxxxxxxxx>
> Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re:  IPv6 and TPROXY
>
> Hello Eliezer,
>
> not really,
> as I don't understand, which IP squid needs to listen to
>
> in my squid.conf I have this:
>
> # Squid normally listens to port 3128
> http_port 127.0.0.1:3128
> http_port [::1]:3128
> http_port 192.168.1.1:3128
> http_port [ipv6prefix::1]:3128
> # Transparent Squid listens to port 3129 (IPv4 only)
> http_port 192.168.1.1:3129 transparent
> http_port [ipv6prefix::1]:3129 tproxy<-- does it need this?
> http_port [::1]:3129 tproxy<-- or this?
>
> the transparent proxy with ipv4 works ...
>
> just had to add the following
>
> e.g.
> iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80
> -j DNAT --to-destination 192.168.1.1:3129
>
> with IPv6 it is more complicated ...
>
> especially which IP6TABLES rule is meant by Amos question?
>
> "I don't see anywhere in that INPUT list where the TPROXY'd traffic is
> permitted to reach Squid. "
>
> does this mean:
>
> e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I
> need to add
>
> ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j ACCEPT
> ?
>
> does this really need this two
> ip -6 ...
> commands, as I don't know what to add in a file in
> /etc/sysconfig/network-scripts ...
>
> Thanks,
> Walter
>
> On 12.08.2017 20:23, Eliezer Croitoru wrote:
>



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux