I am trying to setup squid with tproxy. But I see that the client IP
is not getting spoofed. Other stuffs work fine, i.e. squid listens on
a transparent socket, but while creating the outgoing connection squid
doesn't spoof the client IP.
Below is my config file
#====================
acl manager proto cache_object
acl localhost src 127.0.0.1/32
http_port 11181 ssl-bump cert=/extra/squid/etc/Centos6.0.pem
http_port 85 tproxy
http_port 86 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy
pid_filename /extra/squid/var/squid.pid
cache_effective_user squid
cache_effective_group squid
logfile_rotate 5
debug_options ALL,9
coredump_dir /extra/squid/var/
visible_hostname squidhost
access_log /extra/squid/var/logs/access.log
cache_log /extra/squid/var/logs/cache.log
visible_hostname r810
sslproxy_flags DONT_VERIFY_PEER
http_access allow manager localhost
http_access deny manager
http_access allow all
ssl_bump allow all
always_direct allow all
sslproxy_cert_error allow all
#==================================
Also, following are the commands to set the iptables configuration:
===================================================
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 85
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 86
Routing related flags are set like:
==========================
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
Regards,
Nipun
Bangalore
Received on Tue Sep 27 2011 - 07:34:27 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 27 2011 - 12:00:02 MDT