<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hey,<br>
<br>
Indeed as you were thinking.<br>
the socket match a socket on the machine which means it's not an
inbound connection.<br>
the rules are:<br>
if the connection is local divert it to local routing as a socket
and otherwise redirect it into squid tproxy port.<br>
<br>
Eliezer<br>
<br>
On 07/03/2013 01:07 AM, Firas Rasmy wrote:<br>
</div>
<blockquote
cite="mid:1372802839.47784.YahooMailNeo@web120401.mail.ne1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:arial,
helvetica, sans-serif;font-size:10pt">
<div style="font-family: arial, helvetica, sans-serif;
font-size: 10pt;"><span>Thanks a lot for your reply Eliezer!</span></div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 13px; color: rgb(0, 0, 0); background-color:
transparent; font-style: normal;"><span><br>
</span></div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 13px; color: rgb(0, 0, 0); background-color:
transparent; font-style: normal;"><span>I have another
question here regarding the following iptables rules, which
are needed to get TPROXY to work:</span></div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 13px; color: rgb(0, 0, 0); background-color:
transparent; font-style: normal;"><span><br>
</span></div>
<div style="background-color: transparent;"><font size="2">iptables
-t mangle -N DIVERT</font></div>
<div style="background-color: transparent;"><font size="2">iptables
-t mangle -A DIVERT -j MARK --set-mark 1</font></div>
<div style="background-color: transparent;"><font size="2">iptables
-t mangle -A DIVERT -j ACCEPT</font></div>
<div style="background-color: transparent;"><span
style="font-size: 13px; background-color: transparent;">iptables
-t mangle -A PREROUTING -p tcp -m socket -j DIVERT</span><br>
</div>
<div style="background-color: transparent;"><font size="2"><span></span></font></div>
<div style="background-color: transparent;"><font size="2"><br>
</font></div>
<div style="background-color: transparent; color: rgb(0, 0, 0);
font-size: 13px; font-family: arial, helvetica, sans-serif;
font-style: normal;"><font size="2">iptables -t mangle -A
PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1
--on-port 3129</font></div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 10pt;"><br>
</div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 13px; color: rgb(0, 0, 0); background-color:
transparent; font-style: normal;"><span><br>
</span></div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 13px; color: rgb(0, 0, 0); background-color:
transparent; font-style: normal;"><span><br>
</span></div>
<div style="background-color: transparent;"><span style="color:
rgb(0, 0, 0); font-family: arial, helvetica, sans-serif;
font-size: 13px; font-style: normal;"> What is "-m socket"
used for? Man page of iptables says that "-m socket" </span><span
style="background-color: transparent;"><font size="2">matches
if an open socket can be found by doing a socket lookup
on </font></span><span style="font-size: 13px;
background-color: transparent;">the packet. I think the
following rule is intended for reply packets coming from web
servers to squid (with the spoofed IP address), am I right?
If not, please correct me:</span></div>
<div style="background-color: transparent; color: rgb(0, 0, 0);
font-size: 13px; font-family: arial, helvetica, sans-serif;
font-style: normal;"><span style="font-size: 13px;
background-color: transparent;">iptables -t mangle -A
PREROUTING -p tcp -m socket -j DIVERT<br>
</span></div>
<div style="background-color: transparent; color: rgb(0, 0, 0);
font-size: 13px; font-family: arial, helvetica, sans-serif;
font-style: normal;"><span style="font-size: 13px;
background-color: transparent;"><br>
</span></div>
<div style="background-color: transparent; color: rgb(0, 0, 0);
font-size: 13px; font-family: arial, helvetica, sans-serif;
font-style: normal;"><span style="font-size: 13px;
background-color: transparent;">Best regards,</span></div>
<div style="background-color: transparent; color: rgb(0, 0, 0);
font-size: 13px; font-family: arial, helvetica, sans-serif;
font-style: normal;"><span style="font-size: 13px;
background-color: transparent;">Firas</span></div>
<div><br>
</div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 10pt;"><br>
</div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 10pt;">
<div style="font-family: 'times new roman', 'new york', times,
serif; font-size: 12pt;">
<div dir="ltr">
<hr size="1"> <font face="Arial" size="2"> <b><span
style="font-weight:bold;">From:</span></b> Eliezer
Croitoru <a class="moz-txt-link-rfc2396E" href="mailto:eliezer@ngtech.co.il"><eliezer@ngtech.co.il></a><br>
<b><span style="font-weight: bold;">To:</span></b>
<a class="moz-txt-link-abbreviated" href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Monday, July 1, 2013 11:00 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [tproxy] Squid with TProxy Support<br>
</font> </div>
<div class="y_msg_container"><br>
Centos comes with TPROXY so you don't need to recompile or
do anything <br>
more then to bundled kernel from CentOS.<br>
Take a small peek at this tutorial:<br>
<a moz-do-not-send="true"
href="http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2"
target="_blank">http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2</a><br>
The tutorial have all the working examples that are needed
for tproxy <br>
with squid.<br>
<br>
If you will need more help you can try squid-users.<br>
<br>
Eliezer<br>
<br>
On 07/01/2013 09:37 PM, Firas Rasmy wrote:<br>
> Hello there!<br>
><br>
> I'm trying to install squid with TPROXY support. I'm
using a Centos 6.4<br>
> (64-bit) with kernel version 2.6.32-358.el6.x86_64
and iptables version<br>
> 4.1.7<br>
><br>
> I've followed the instructions in<br>
> <a moz-do-not-send="true"
href="http://wiki.squid-cache.org/Features/Tproxy4"
target="_blank">http://wiki.squid-cache.org/Features/Tproxy4
</a>but unfortunately<br>
> connecting to any website from a client with Chrome
browser fails with<br>
> this error:<br>
> Error 324 (<a class="moz-txt-link-freetext" href="net::ERR_EMPTY_RESPONSE">net::ERR_EMPTY_RESPONSE</a>): The server
closed the connection<br>
> without sending any data.<br>
><br>
> When trying to telnet squid on port 80, I get a
connection but the<br>
> connection is closed once I hit any key! I think
packets are being<br>
> redirected to squid successfully because if I stop
squid, there would be<br>
> no connections at all. Do you have any idea of what
might be the reason?<br>
><br>
> Another question, I have checked that my current
kernel was already<br>
> built with those options:<br>
> NF_CONNTRACK=m<br>
> NETFILTER_TPROXY=m<br>
> NETFILTER_XT_MATCH_SOCKET=m<br>
> NETFILTER_XT_TARGET_TPROXY=m<br>
><br>
> Do I still have to recompile it with patches from<br>
> <a class="moz-txt-link-freetext" href="http://www.balabit.com/downloads/files/tproxy/">http://www.balabit.com/downloads/files/tproxy/</a>?<br>
> There are no patches available for this current
version. What about<br>
> iptables? Do I need to patch it?<br>
><br>
> My last question is: TPROXY target in the mangle
table is not supposed<br>
> to change anything in the packet header, how the
packets with TPROXY<br>
> target would be redirected to --on-port if the IP
header is untouched?!<br>
><br>
> Thanks a lot for your help!<br>
><br>
> Best regards,<br>
> Firas<br>
><br>
><br>
> _______________________________________________<br>
> tproxy mailing list<br>
> <a moz-do-not-send="true"
ymailto="mailto:tproxy@lists.balabit.hu"
href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a><br>
> <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/tproxy"
target="_blank">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>
><br>
<br>
_______________________________________________<br>
tproxy mailing list<br>
<a moz-do-not-send="true"
ymailto="mailto:tproxy@lists.balabit.hu"
href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a><br>
<a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/tproxy"
target="_blank">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
tproxy mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a>
<a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/tproxy">https://lists.balabit.hu/mailman/listinfo/tproxy</a>
</pre>
</blockquote>
<br>
</body>
</html>