[squid-users] Troubleshooting Tproxy configuration

From: Angelo Compagnucci <angelo.compagnucci_at_gmail.com>
Date: Mon, 30 Aug 2010 09:47:20 +0200

Hi List,

I'll try to understang what's not working in my setup.
I'm trying to configure tproxy on an lan but I cannot get it working.
I'll try to explain better.

My setup is resumed in the following scheme:

LAN --> TRPOXY + BRIDGE + SQUID --> Default gateway.

I'm working on Ubuntu 9.10 with Squid 3.1. Squid and tproxy are
correctly configured because I can read "Accepting spoofing http
connections at ..." in chache.log.

The configuration I set up is described at the page
http://wiki.squid-cache.org/Features/Tproxy4.

This is the script i use to configure everithing:

CLIENT_IFACE=eth0
INET_IFACE=eth1

ifconfig $CLIENT_IFACE down
ifconfig $INET_IFACE down
ifconfig $CLIENT_IFACE 0.0.0.0 up
ifconfig $INET_IFACE 0.0.0.0 up

brctl addbr br0
brctl addif br0 $CLIENT_IFACE
brctl addif br0 $INET_IFACE
brctl stp br0 off

dhclient br0

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p IPv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $INET_IFACE -p IPv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP

cd /proc/sys/net/bridge/
for i in *
do
echo 0 > $i
done
unset i

With this configuration TPROXY doesn't work, I can see packet count
increase for TRPOXY target in iptables -L but nothing appears on
access.log and every http request from clients times out.
This configuration works when I change --redirect-target DROP to
--redirect-target ACCEPT, but in this case I can observe a duplication
on traffic un port 80 inspecting my gateway traffic flow.

I'm really gratefull to anyoune that can help me.
Received on Mon Aug 30 2010 - 07:47:52 MDT

This archive was generated by hypermail 2.2.0 : Mon Aug 30 2010 - 12:00:03 MDT