<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.16.1">
</HEAD>
<BODY>
It works only for when I patched my squid with IP_FREEBIND, I mean the client ip spoofing works. I don't know why <FONT COLOR="#000000">modprobe iptable_tproxy tproxy_any=1</FONT> didn't work for me.<BR>
<BR>
Anywhy thanks guys for your advise were very helpful for me.<BR>
<BR>
<BR>
On jeu, 2008-02-21 at 15:05 +0100, Laszlo Attila Toth wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">Hi,</FONT>
<FONT COLOR="#000000">nantenaina Tianarivo wrote:</FONT>
<FONT COLOR="#000000">> I have already tried to load the tproxy table with the tproxy_any </FONT>
<FONT COLOR="#000000">> parameter as you describe because I have seen this in the archive but it </FONT>
<FONT COLOR="#000000">> didn't solve the problem</FONT>
<FONT COLOR="#000000">> </FONT>
<FONT COLOR="#000000">Strange. It works for me with netcat:</FONT>
<FONT COLOR="#000000">On 192.168.10.1 as in 4.0.3's README:</FONT>
<FONT COLOR="#000000"> echo 1 >/proc/sys/net/ipv4/ip_nonlocal_bind</FONT>
<FONT COLOR="#000000"> modprobe iptable_tproxy tproxy_any=1</FONT>
<FONT COLOR="#000000"> nc -s 192.168.4.7 -p 55 192.168.10.2 678</FONT>
<FONT COLOR="#000000">On 192.168.10.2:</FONT>
<FONT COLOR="#000000"> ip route add 192.168.4.0/24 via 192.168.10.1</FONT>
<FONT COLOR="#000000"> nc -lp 678</FONT>
<FONT COLOR="#000000">The TCP connection is established and data arrive to the other side as </FONT>
<FONT COLOR="#000000">expected.</FONT>
<FONT COLOR="#000000">> </FONT>
<FONT COLOR="#000000">> On mer, 2008-02-20 at 11:45 +0100, Laszlo Attila Toth wrote:</FONT>
<FONT COLOR="#000000">>> Hello,</FONT>
<FONT COLOR="#000000">>></FONT>
<FONT COLOR="#000000">>> nantenaina Tianarivo írta:</FONT>
<FONT COLOR="#000000">>> > Hello everybody,</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > I am tring to make tproxy work with our squid but I have a problem with </FONT>
<FONT COLOR="#000000">>> > the iptable to redirect traffic to squid now.</FONT>
<FONT COLOR="#000000">>> > I have compiled a linux kernel 2.6.22.18 patched with </FONT>
<FONT COLOR="#000000">>> > tproxy-4.0.3-2.6.22. and iptable 1.3.8. For squid, i'am using Version </FONT>
<FONT COLOR="#000000">>> > 2.6.STABLE5.</FONT>
<FONT COLOR="#000000">>> > I think my kernel is well compiled because I see all the tproxy module </FONT>
<FONT COLOR="#000000">>> > loaded :</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > proxy:/usr/src/linux# lsmod | grep -i proxy</FONT>
<FONT COLOR="#000000">>> > xt_tproxy 1984 0</FONT>
<FONT COLOR="#000000">>> > xt_TPROXY 1984 1</FONT>
<FONT COLOR="#000000">>> > iptable_tproxy 6468 2 xt_TPROXY</FONT>
<FONT COLOR="#000000">>> > ip_tables 12420 2 iptable_filter,iptable_tproxy</FONT>
<FONT COLOR="#000000">>> > x_tables 14564 5 </FONT>
<FONT COLOR="#000000">>> > ipt_LOG,xt_tcpudp,xt_tproxy,xt_TPROXY,ip_tables</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > My iptables rules is like this :</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > iptables -t tproxy -A PREROUTING -p tcp -m tcp -i gre1 --dport 80 -j LOG</FONT>
<FONT COLOR="#000000">>> > iptables -t tproxy -A PREROUTING -p tcp -m tcp -i gre1 --dport 80 -j </FONT>
<FONT COLOR="#000000">>> > TPROXY --on-port 80</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > when I check it with tcpdump, I see traffic for http port on the gre1 </FONT>
<FONT COLOR="#000000">>> > interface</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > proxy:/usr/src/linux# tcpdump -n -i gre1</FONT>
<FONT COLOR="#000000">>> > tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to </FONT>
<FONT COLOR="#000000">>> > cooked socket</FONT>
<FONT COLOR="#000000">>> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</FONT>
<FONT COLOR="#000000">>> > listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes</FONT>
<FONT COLOR="#000000">>> > 13:10:51.437856 IP 62.56.240.17.3200 > 84.16.80.10.80: . ack 3247536657 </FONT>
<FONT COLOR="#000000">>> > win 2264 <nop,nop,timestamp 24199037 1582152></FONT>
<FONT COLOR="#000000">>> > 13:10:51.492666 IP 62.56.240.17.3199 > 84.16.80.10.80: . ack 3204902926 </FONT>
<FONT COLOR="#000000">>> > win 3604 <nop,nop,timestamp 24199051 1582156></FONT>
<FONT COLOR="#000000">>> > 13:10:51.523999 IP 62.56.240.17.3198 > 84.16.80.10.80: . ack 3189913679 </FONT>
<FONT COLOR="#000000">>> > win 16022 <nop,nop,timestamp 24199058 1582173></FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > when I check it on access.log of my squid, my requests are actually sent </FONT>
<FONT COLOR="#000000">>> > to the squid.</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > But it is not the client ip which is sent to the Internet but the squid </FONT>
<FONT COLOR="#000000">>> > box IP.</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > when I issue iptables-save -c command to check if there are traffic that </FONT>
<FONT COLOR="#000000">>> > enter my iptables rule, the counter so zero traffic.</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > proxy:/usr/src/linux# iptables-save -t tproxy -c</FONT>
<FONT COLOR="#000000">>> > # Generated by iptables-save v1.3.8 on Wed Feb 20 13:07:45 2008</FONT>
<FONT COLOR="#000000">>> > *tproxy</FONT>
<FONT COLOR="#000000">>> > :PREROUTING ACCEPT [128:11992]</FONT>
<FONT COLOR="#000000">>> > [0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j LOG</FONT>
<FONT COLOR="#000000">>> > [0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j TPROXY --on-port </FONT>
<FONT COLOR="#000000">>> > 80 --on-ip 0.0.0.0</FONT>
<FONT COLOR="#000000">>> > COMMIT</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > even the LOG don't tell me anything about traffic in gre1 interfaces.</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > what I see in the log is this error that appear from time to time:</FONT>
<FONT COLOR="#000000">>> > </FONT>
<FONT COLOR="#000000">>> > Feb 20 13:08:31 proxy squid[2353]: parseHttpRequest: NF </FONT>
<FONT COLOR="#000000">>> > getsockopt(SO_ORIGINAL_DST) failed: (92) Protocol not available</FONT>
<FONT COLOR="#000000">>> > Feb 20 13:08:31 proxy squid[2353]: tproxy </FONT>
<FONT COLOR="#000000">>> > ip=62.56.240.17,0x11f0383e,port=0 ERROR ASSIGN</FONT>
<FONT COLOR="#000000">>></FONT>
<FONT COLOR="#000000">>> It seems you want to use the squid with tproxy patch for tproxyv2 but </FONT>
<FONT COLOR="#000000">>> you use tproxyv4. They are incompatible. The iptables commands are the </FONT>
<FONT COLOR="#000000">>> same but the tproxy4 kernel code is different.</FONT>
<FONT COLOR="#000000">>></FONT>
<FONT COLOR="#000000">>> When the squid uses tproxy-specific commands, there should be only one </FONT>
<FONT COLOR="#000000">>> clall: set the socket option IP_FREEBIND, _or_ load the tproxy table </FONT>
<FONT COLOR="#000000">>> with the tproxy_any parameter:</FONT>
<FONT COLOR="#000000">>></FONT>
<FONT COLOR="#000000">>> modprobe iptable_tproxy tproxy_any=1</FONT>
<FONT COLOR="#000000">>></FONT>
</PRE>
</BLOCKQUOTE>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
-- <BR>
nantenaina Tianarivo <<A HREF="mailto:rivo@gulfsat.mg">rivo@gulfsat.mg</A>>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>