Any progress with the issue? Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx] Sent: Sunday, August 13, 2017 21:31 To: Eliezer Croitoru <eliezer@xxxxxxxxxxxx> Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: IPv6 and TPROXY Hello Eliezer yes, because all my Linux systems are CentOS 6 ... the router/firewall has a rule -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 -j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7 -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 -j REJECT any windows host inside this ipv6prefix has configured a proxy, but for some reason e.g. there is HTTP traffic of CRLs or OCSP that doesn't go through to the configured proxy, and is blocked ... for this I need this TPROXY ... (only IPv6 needs to be solved, IPv4 already runs perfekt) Thanks, Walter On 13.08.2017 15:48, Eliezer Croitoru wrote: > Hey, > > Is there a specific reason for the usage of CentOS 6? > Also, do you need full tproxy featres or just to intercept the traffic? > > And Amos: > Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible? > Would the usage of: > http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ > > override the tproxy function? > > Eliezer > > ---- > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: eliezer@xxxxxxxxxxxx > > > > -----Original Message----- > From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx] > Sent: Saturday, August 12, 2017 22:03 > To: Eliezer Croitoru<eliezer@xxxxxxxxxxxx> > Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: IPv6 and TPROXY > > Hello Eliezer, > > not really, > as I don't understand, which IP squid needs to listen to > > in my squid.conf I have this: > > # Squid normally listens to port 3128 > http_port 127.0.0.1:3128 > http_port [::1]:3128 > http_port 192.168.1.1:3128 > http_port [ipv6prefix::1]:3128 > # Transparent Squid listens to port 3129 (IPv4 only) > http_port 192.168.1.1:3129 transparent > http_port [ipv6prefix::1]:3129 tproxy<-- does it need this? > http_port [::1]:3129 tproxy<-- or this? > > the transparent proxy with ipv4 works ... > > just had to add the following > > e.g. > iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80 > -j DNAT --to-destination 192.168.1.1:3129 > > with IPv6 it is more complicated ... > > especially which IP6TABLES rule is meant by Amos question? > > "I don't see anywhere in that INPUT list where the TPROXY'd traffic is > permitted to reach Squid. " > > does this mean: > > e.g. when I want to use TPROXY to IPv6 2a02:1788:2fd::b2ff:5302, I > need to add > > ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302 > --dport 80 -j ACCEPT > ? > > does this really need this two > ip -6 ... > commands, as I don't know what to add in a file in > /etc/sysconfig/network-scripts ... > > Thanks, > Walter > > On 12.08.2017 20:23, Eliezer Croitoru wrote: > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
