Re: [squid-users] tproxy configuration

From: Roman Gelfand <rgelfand2_at_gmail.com>
Date: Fri, 22 Feb 2013 12:40:01 -0500

Thanks for taking time to help me out.

If I understood you correctly, I think I made the changes you
mentioned including iptables -A FORWARD -i eth0 -j ACCEPT line.

still no luck. Below, is the is the diagnostics.

Chain PREROUTING (policy ACCEPT 13 packets, 8499 bytes)
 pkts bytes target prot opt in out source destination
  337 93649 ACCEPT all -- any any anywhere 192.168.8.21
  226 48201 DIVERT tcp -- any any anywhere
anywhere socket
    0 0 TPROXY tcp -- any any anywhere
anywhere tcp dpt:www TPROXY redirect 0.0.0.0:3228 mark
0x1/0x1
    0 0 TPROXY tcp -- any any anywhere
anywhere tcp dpt:https TPROXY redirect 0.0.0.0:3229 mark
0x1/0x1

Chain INPUT (policy ACCEPT 576 packets, 150K bytes)
 pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 644 packets, 135K bytes)
 pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 644 packets, 135K bytes)
 pkts bytes target prot opt in out source destination

Chain DIVERT (1 references)
 pkts bytes target prot opt in out source destination
  226 48201 MARK all -- any any anywhere
anywhere MARK set 0x1
  226 48201 ACCEPT all -- any any anywhere anywhere

On Fri, Feb 22, 2013 at 2:14 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 22/02/2013 5:07 p.m., Roman Gelfand wrote:
>>
>> On Thu, Feb 21, 2013 at 6:10 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> On 22/02/2013 11:03 a.m., Roman Gelfand wrote:
>>>>
>>>> Please, find below the network topology, squid.conf and rc.local
>>>> configuration files. It appears that the squid is not routing the
>>>> http requests. I am not sure what I am doing wrong here
>>>> Please note, the same squid.conf works on transparent proxy (non
>>>> tproxy), for the exception of tproxy keyword and service changes.
>>>> Thanks in advance,
>>>>
>>>> WAN
>>>> ||
>>>> ||
>>>> wccp/gre tunnel ||
>>>> squid==============================Fortigate FW/RT Int ip 1 192.168.8.1
>>>> 3.3 || Int ip 2
>>>> 192.168.11.1
>>>> ip: 192.168.8.21 || Ext ip XX.XX.XXX.24
>>>> ||
>>>> ||
>>>> WLAN Router Int. ip
>>>> 192.168.11.32 Ext. ip 192.168.7.1
>>>> ||
>>>> ||
>>>> ||
>>>> Client Workstation 192.168.7.110
>>>>
>>>>
>>>> #!/bin/sh -e
>>>> #
>>>> # rc.local
>>>> #
>>>> # This script is executed at the end of each multiuser runlevel.
>>>> # Make sure that the script will "exit 0" on success or any other
>>>> # value on error.
>>>> #
>>>> # In order to enable or disable this script just change the execution
>>>> # bits.
>>>> #
>>>> # By default this script does nothing.
>>>> # GRE Tunnel :
>>>> echo "Loading modules.."
>>>> modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre
>>>>
>>>> LOCALIP="192.168.8.21"
>>>> FORTIDIRIP="192.168.8.1"
>>>> FORTIIPID="XX.XX.XXX.254"
>>>> echo "changing routing and reverse path stuff.."
>>>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>>
>>>
>>> What about rp_filter on eth0 where the traffic is actually exiting the
>>> Squid
>>> box?
>>
>> Could you elaborate on this..
>
>
> What rp_filter does is prevent packets from local software using that
> interface from using IP addresses that do not belong to that box.
>
> The purpose of TPROXY being to spoof the _clients_ IP address on outgoing
> trafffic. Which does not leave the machine on lo, but through eth0 or some
> other interface.
>
>
> Amos
Received on Fri Feb 22 2013 - 17:40:08 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 25 2013 - 12:00:04 MST