On 03.03.2012 14:19, David Touzeau wrote:
> Your are right Amos.
>
> If need iptables 1.4.10 and kernel 2.6.37
> and Debian backports provide iptables 1.4.8 and kernel 3.0
> It is not possible with debian squeeze to use correctly TProxy mode.
>
> I think this should be the reason that in my previous post, i had
> many issues implementing TProxy mode.
> I think needs to wait Wheezy or better version in backports
>
>
I have just found an omission from the TPROXY feature page which may
explain the problems on Ubuntu and some Debians.
It turns out the fwmark rules need to be entered explicitly and
separately for IPv4 and IPv6, just like the route entries.
The wiki was saying:
ip rule add fwmark 1 lookup 100
ip -f inet route add local default dev eth0 table 100
ip -f inet6 route add local default dev eth0 table 100
But what is actually needed is this:
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev eth0 table 100
ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev eth0 table 100
If you follow the "ip rule add fwmark" version it will catch IPv4
traffic perfectly fine. While IPv6 will be counted as marked by TPROXY
yet never arrive at Squid, instead they will pass through to the
destination as if TPROXY was not even there.
Hope this helps.
Amos
Received on Sun Mar 25 2012 - 06:08:30 MDT
This archive was generated by hypermail 2.2.0 : Sun Mar 25 2012 - 12:00:03 MDT