<html><body><div style="color:#000; background-color:#fff; font-family:arial, helvetica, sans-serif;font-size:10pt"><div>Thanks a lot Chinmay and Eliezer,</div><div><br></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: arial, helvetica, sans-serif; background-color: transparent; font-style: normal;">I think the comments on the iptables rules in <a href="http://wiki.squid-cache.org/Features/Tproxy4" style="font-size: 10pt;">http://wiki.squid-cache.org/Features/Tproxy4</a> are a bit confusing!<br></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: arial, helvetica, sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: arial, helvetica, sans-serif; background-color: transparent; font-style: normal;">Best regards,</div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: arial, helvetica, sans-serif; background-color:
transparent; font-style: normal;">Firas</div><div><br></div> <div style="font-family: arial, helvetica, sans-serif; font-size: 10pt;"> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font size="2" face="Arial"> <b><span style="font-weight:bold;">From:</span></b> Chinmay Mahata <chinmay_mahata@rediffmail.com><br> <b><span style="font-weight: bold;">To:</span></b> Firas Rasmy <firasrasmy@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, July 5, 2013 2:13 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [tproxy] Squid with TProxy Support<br> </font> </div> <div class="y_msg_container"><br><div id="yiv0878288906">Hi Firas,<br> Your understanding is absolutely
correct.<br><br>Regards,<br>--Chinmay <br><br><br><br><br>From: Firas Rasmy <firasrasmy@yahoo.com><br>Sent: Wed, 03 Jul 2013 04:34:02 <br>To: "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu><br>Subject: Re: [tproxy] Squid with TProxy Support<br> <div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: arial, helvetica, sans-serif; font-size: 10pt;"><div style="font-family: arial, helvetica, sans-serif; font-size: 10pt;"><span>Thanks a lot for your reply Eliezer!</span></div><div style="font-family: arial, helvetica, sans-serif; font-size: 13px; background-color: transparent; font-style: normal;"><span><br></span></div><div style="font-family: arial, helvetica, sans-serif; font-size: 13px; background-color: transparent; font-style: normal;"><span>I have another question here regarding the following iptables rules, which are needed to get TPROXY to work:</span></div><div style="font-family: arial, helvetica,
sans-serif; font-size: 13px; background-color: transparent; font-style: normal;"><span><br></span></div><div style="background-color:transparent;"><font size="2">iptables -t mangle -N DIVERT</font></div><div style="background-color:transparent;"><font size="2">iptables -t mangle -A DIVERT -j MARK --set-mark 1</font></div><div style="background-color:transparent;"><font size="2">iptables -t mangle -A DIVERT -j ACCEPT</font></div><div style="background-color:transparent;"><span style="font-size:13px;background-color:transparent;">iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT</span><br></div><div style="background-color:transparent;"><font size="2"><span></span></font></div><div style="background-color:transparent;"><font size="2"><br></font></div><div style="background-color: transparent; font-size: 13px; font-family: arial, helvetica, sans-serif; font-style: normal;"><font size="2">iptables -t mangle -A PREROUTING -p tcp --dport
80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129</font></div><div style="font-family: arial, helvetica, sans-serif; font-size: 10pt;"><br></div><div style="font-family: arial, helvetica, sans-serif; font-size: 13px; background-color: transparent; font-style: normal;"><span><br></span></div><div style="font-family: arial, helvetica, sans-serif; font-size: 13px; background-color: transparent; font-style: normal;"><span><br></span></div><div style="background-color:transparent;"><span style="font-family: arial, helvetica, sans-serif; font-size: 13px; font-style: normal;"> What is "-m socket" used for? Man page of iptables says that "-m socket" </span><span style="background-color:transparent;"><font size="2">matches if an open socket can be found by doing a socket lookup on </font></span><span style="font-size:13px;background-color:transparent;">the packet. I think the following rule is intended for reply packets coming from web servers to squid
(with the spoofed IP address), am I right? If not, please correct me:</span></div><div style="background-color: transparent; font-size: 13px; font-family: arial, helvetica, sans-serif; font-style: normal;"><span style="font-size:13px;background-color:transparent;">iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT<br></span></div><div style="background-color: transparent; font-size: 13px; font-family: arial, helvetica, sans-serif; font-style: normal;"><span style="font-size:13px;background-color:transparent;"><br></span></div><div style="background-color: transparent; font-size: 13px; font-family: arial, helvetica, sans-serif; font-style: normal;"><span style="font-size:13px;background-color:transparent;">Best regards,</span></div><div style="background-color: transparent; font-size: 13px; font-family: arial, helvetica, sans-serif; font-style: normal;"><span style="font-size:13px;
background-color:transparent;">Firas</span></div><div><br></div><div style="font-family: arial, helvetica, sans-serif; font-size: 10pt;"><br></div> <div style="font-family: arial, helvetica, sans-serif; font-size: 10pt;"> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Eliezer Croitoru <eliezer@ngtech.co.il><br> <b><span style="font-weight:bold;">To:</span></b> tproxy@lists.balabit.hu <br> <b><span style="font-weight:bold;">Sent:</span></b> Monday, July 1, 2013 11:00 PM<br> <b><span style="font-weight:bold;">Subject:</span></b> Re: [tproxy] Squid with TProxy Support<br> </font> </div> <div><br>Centos comes with TPROXY so you don't need to recompile or do anything <br>more then to bundled kernel from CentOS.<br>Take a small peek at this tutorial:<br><a rel="nofollow" target="_blank"
href="http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2">http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2</a><br>The tutorial have all the working examples that are needed for tproxy <br>with squid.<br><br>If you will need more help you can try squid-users.<br><br>Eliezer<br><br>On 07/01/2013 09:37 PM, Firas Rasmy wrote:<br>> Hello there!<br>><br>> I'm trying to install squid with TPROXY support. I'm using a Centos 6.4<br>> (64-bit) with kernel version 2.6.32-358.el6.x86_64 and iptables version<br>> 4.1.7<br>><br>> I've followed the instructions in<br>> <a rel="nofollow" target="_blank" href="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4 </a>but unfortunately<br>> connecting to any website from a client with Chrome browser fails with<br>> this error:<br>> Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection<br>> without sending any
data.<br>><br>> When trying to telnet squid on port 80, I get a connection but the<br>> connection is closed once I hit any key! I think packets are being<br>> redirected to squid successfully because if I stop squid, there would be<br>> no connections at all. Do you have any idea of what might be the reason?<br>><br>> Another question, I have checked that my current kernel was already<br>> built with those options:<br>> NF_CONNTRACK=m<br>> NETFILTER_TPROXY=m<br>> NETFILTER_XT_MATCH_SOCKET=m<br>> NETFILTER_XT_TARGET_TPROXY=m<br>><br>> Do I still have to recompile it with patches from<br>> <a rel="nofollow" target="_blank" href="http://www.rediffmail.com/cgi-bin/red.cgi?account_type=1&red=http%3A%2F%2Fwww.balabit.com%2Fdownloads%2Ffiles%2Ftproxy%2F%3F&isImage=0&BlockImage=0&rediffng=0">http://www.balabit.com/downloads/files/tproxy/?</a><br>> There are no patches available for this current
version. What about<br>> iptables? Do I need to patch it?<br>><br>> My last question is: TPROXY target in the mangle table is not supposed<br>> to change anything in the packet header, how the packets with
TPROXY<br>> target would be redirected to --on-port if the IP header is untouched?!<br>><br>> Thanks a lot for your help!<br>><br>> Best regards,<br>> Firas<br>><br>><br>> _______________________________________________<br>> tproxy mailing list<br>> tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu<br>> <a rel="nofollow" target="_blank" href="https://lists.balabit.hu/mailman/listinfo/tproxy">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>><br><br>_______________________________________________<br>tproxy mailing list<br>tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu<br><a rel="nofollow" target="_blank" href="https://lists.balabit.hu/mailman/listinfo/tproxy">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br><br><br></div> </div> </div> </div>
_______________________________________________<br>
tproxy mailing list<br>
tproxy@lists.balabit.hu<br>
https://lists.balabit.hu/mailman/listinfo/tproxy<br>
<br><a rel="nofollow" target="_blank" href="http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?"><img src="http://sigads.rediff.com/RealMedia/ads/adstream_nx.ads/www.rediffmail.com/signatureline.htm@Middle"></a><br><div style="font-family: Arial, Helvetica, sans-serif; font-size: 14px;">Get your own <span style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; background-color: rgb(204, 0, 0); color: rgb(255, 255, 255); padding: 0px 3px;"><b>FREE</b></span> website and domain with business email solutions, <a rel="nofollow" target="_blank" href="http://track.rediff.com/click?url=___http://hosting.rediff.com/rediffmailpro/business-email?sc_cid=sig___&cmp=sig&lnk=sig&nsrv1=host">click here</a></div></div><br><br></div> </div> </div> </div></body></html>