Hey Ben, Still waiting for the relevant output. Once I will have the relevant details I will probably be able to verify how and what is the issue. Eliezer -----Original Message----- From: Eliezer Croitoru <ngtech1ltd@xxxxxxxxx> Sent: Thursday, July 8, 2021 12:04 AM To: 'squid-users@xxxxxxxxxxxxxxxxxxxxx' <squid-users@xxxxxxxxxxxxxxxxxxxxx> Cc: 'Ben Goz' <ben.goz87@xxxxxxxxx> Subject: RE: TPROXY Error Hey Ben, You are missing the critical output of the full command: Ip route show table 100 What you posted was: > 5. the output of 'ip route show table 100' $ ip route show default via 8.13.140.14 dev bond0.212 proto static 1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1 8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250 8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1 8.13.144.0/20 via 1.21.213.254 dev bond0.213 8.13.148.1 via 1.21.213.254 dev bond0.213 ## It's important to see the relevant routing table. The linux Kernel have couple routing tables which each can contain different routing/forwarding table. If you want to understand a bit more you might be able to try and lookup for FIB. ( take a peek at: http://linux-ip.net/html/routing-tables.html) Eliezer -----Original Message----- From: Ben Goz <ben.goz87@xxxxxxxxx> Sent: Wednesday, July 7, 2021 3:36 PM To: Eliezer Croitoru <ngtech1ltd@xxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: TPROXY Error By the help of God. Hi Eliezer, Thanks for your help. Please let me know if you need more information. Regards, Ben On 07/07/2021 14:01, Eliezer Croitoru wrote: > Hey Ben, > > I want to try and reset this issue because I am missing some technical > details. > > 1. What Linux Distro and what version are you using?' Ubuntu 20.04 > 2. the output of 'ip address' $ ip address 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens1f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff 3: ens1f1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff 4: usb0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff 5: enx00e04c3600d3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3 valid_lft forever preferred_lft forever inet6 fe80::2e0:4cff:fe36:d3/64 scope link valid_lft forever preferred_lft forever 6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff inet6 fe80::b859:58ff:fe58:232b/64 scope link valid_lft forever preferred_lft forever 7: bond0.212@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212 valid_lft forever preferred_lft forever inet6 fe80::b859:58ff:fe58:232b/64 scope link valid_lft forever preferred_lft forever 8: bond0.213@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213 valid_lft forever preferred_lft forever inet6 fe80::b859:58ff:fe58:232b/64 scope link valid_lft forever preferred_lft forever > 3. the output of 'ip rule' $ ip rule 0: from all lookup local 32762: from all fwmark 0x1 lookup 100 32763: from all fwmark 0x1 lookup 100 32764: from all fwmark 0x1 lookup 100 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default > 4. the output of 'ip route show' $ ip route show default via 8.13.140.14 dev bond0.212 proto static 1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1 8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250 8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1 8.13.144.0/20 via 1.21.213.254 dev bond0.213 8.13.148.1 via 1.21.213.254 dev bond0.213 > 5. the output of 'ip route show table 100' $ ip route show default via 8.13.140.14 dev bond0.212 proto static 1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1 8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250 8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1 8.13.144.0/20 via 1.21.213.254 dev bond0.213 8.13.148.1 via 1.21.213.254 dev bond0.213 > 6. the output of 'iptables-save' $ sudo iptables-save # Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021 *mangle :PREROUTING ACCEPT [72898710:6084386298] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :DIVERT - [0:0] -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -i bond0.213 -p tcp -m tcp --dport 80 -j TPROXY --on-port 15644 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A PREROUTING -i bond0.213 -p tcp -m tcp --dport 443 -j TPROXY --on-port 15645 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A INPUT -j ACCEPT -A FORWARD -j ACCEPT -A OUTPUT -j ACCEPT -A POSTROUTING -j ACCEPT -A DIVERT -j MARK --set-xmark 0x1/0xffffffff -A DIVERT -j ACCEPT COMMIT # Completed on Wed Jul 7 12:25:05 2021 # Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021 *nat :PREROUTING ACCEPT [26338415:1392747531] :INPUT ACCEPT [820462:44161193] :OUTPUT ACCEPT [1053:92773] :POSTROUTING ACCEPT [25514534:1348449899] -A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 -A PREROUTING -i eth1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 COMMIT # Completed on Wed Jul 7 12:25:05 2021 # Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021 *filter :INPUT ACCEPT [5045387:2170630036] :FORWARD ACCEPT [72544426:6194710400] :OUTPUT ACCEPT [2471930:252759773] COMMIT # Completed on Wed Jul 7 12:25:05 20 > 7. the output of 'nft -nn list ruleset' (if exists on the OS) Doesn't exists. > 8. the output of your squid.conf $ cat squid.conf # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy #http_access deny all http_access allow all # Squid normally listens to port 3128 http_port 15643 http_port 15644 tproxy https_port 15645 ssl-bump tproxy generate-host-certificates=on options=ALL dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl_cert/myCA.pem dhparams=/usr/local/squid/etc/dhparam.pem always_direct allow all acl DiscoverSNIHost at_step SslBump1 acl NoSSLInterceptRegexp_always ssl::server_name_regex -i xxx acl NoSSLIntercept ssl::server_name "xxx" acl NoSSLInterceptRegexp ssl::server_name_regex -i "xxx" ssl_bump splice NoSSLInterceptRegexp_always ssl_bump splice NoSSLIntercept ssl_bump splice NoSSLInterceptRegexp ssl_bump peek DiscoverSNIHost ssl_bump bump all sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB sslcrtd_children 32 startup=15 idle=3 #sslproxy_capath /etc/ssl/certs # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /usr/local/squid/var/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 range_offset_limit -1 dns_v4_first on forwarded_for off cache deny all > 9. the output of 'squid -v' $ ./squid -v Squid Cache: Version 4.15 Service Name: squid This binary uses OpenSSL 1.1.1f 31 Mar 2020. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--with-openssl' '--enable-ssl-crtd' '--enable-ecap' '--enable-linux-netfilter' --enable-ltdl-convenience > 10. the output of 'uname -a' uname -a Linux xxx 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux > > Once we will have all the above details (reducing/modifying any private > details) we can try to maybe help you. > > Eliezer > > -----Original Message----- > From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of > Ben Goz > Sent: Wednesday, June 30, 2021 3:16 PM > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: TPROXY Error > > By the help of God. > > Hi All, > I'm trying to configure squid as a transparent proxy using TPROXY. > The machine I'm using has 2 NICs, one for input and the other one for > output traffic. > The TPROXY iptables rules are configured on the input NIC. > It looks like iptables TPROXY redirect works but squid prints out the > following error: > > ERROR: NAT/TPROXY lookup failed to locate original IPs on > local=xxx:443 remote=xxx:49471 FD 14 flags=17 > > I think I loaded all TPROXY required kernel modules. > > The ip forwarding works fine without the iptables rules. and I don't > see any squid ERROR on getsockopt > > Please let me know what I'm missing? > > Thanks, > Ben > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
