Hello, I wrote bellow my progress in implementation tproxy to work with squid-2.6. I have only one problem. --- On routers A,B.. (from my topology diagram) (eth1 is lan interface) $BIN_IPT -t mangle -A PREROUTING -i eth1 -m state --state NEW -p tcp --dport 80 -j CONNMARK --set-mark 2 $BIN_IPT -t mangle -A PREROUTING -i eth1 -j CONNMARK --restore-mark ip route add table 100 default via [squid_ip] ip rule add fwmark 2 lookup 100 --- On router 0: (eth1 is lan interface,eth0 wan interface) iptables -t mangle -A PREROUTING -i eth1 -m state --state NEW -p tcp --dport 80 -j CONNMARK --set-mark 1 iptables -t mangle -A PREROUTING -i eth0 -j CONNMARK --restore-mark --- On squid: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 and on squid machine i have also routing entries for all routable subclasses from routers a,b,c... on squid.conf: http_port 3128 transparent tproxy #uname -a Linux w3cache 2.6.25-rc7 (patched by tproxy-20080227-171356-1204128836.tar.bz2) I atached also output from dmesg | grep TPROXY. Squid patched by tproxy-squid-2.6-STABLE18.20080304-110716-1204625236.patch Traffic flows by squid correctly but like you said web servers outside network logs connections with ip of squid machine - not clients. Is any chance to fix it? Regards, Tomasz Dnia Pn Marca 31 2008, 16:51, Laszlo Attila Toth napisał(a):
Ming-Ching Tiew wrote:
admin@abp.pl wrote:
I'm using Squid Cache: Version 2.6.STABLE18
Is there posibility to use it as fully transprent proxy (with tproxy) but without bridging interfaces?
My topology:
[router 0]---[Internet] | | [===switch=======================] | | | [squid] [ router a ][ router b ] .....
to routers a,b... are connected clients. On that routers I have DNAT --to-destiation squid:80
On squid machine i have 2.6.25-rc7 kernel and Squid with patches from http://people.balabit.hu/panther/tproxy/.
The official site is http://www.balabit.com/downloads/files/tproxy/, any other address is used for development.
The latest squid patch, for version 3 is the following:
http://www.balabit.com/downloads/files/tproxy/tproxy-squid-3-20080401.patch
It is not yet finished (the outgoing packets have the squid's IP address and not the client's).
And: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 -on-port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
squid.conf: .. http_port 3128 transparent tproxy
In squid.conf use the following:
http_port 3128 tproxy
No more change is necessary (except ACL).
When I test this configuration webservers logs connection from clients from routers a,b... with ip of squid machine. So tproxy doesnt' work.
Can I fix it?
The patch doesn't resolve this problem yet, sorry.
PS. It's urgent for me, please help;) Regards, Tomasz
Well among all things you have at least gotten to patch the 2.6.25-rc7 kernel. Good ! That's a big step better than just ***STARE*** at the patch and refuse to use use it and then start asking all sorts of question about where is the correct patch !
:-)
... and for which kernel version. Earlier than 2.6.22 will not be supported. But I'm not sure which kernels are used because I have to backport tproxy for them.
-- Tomasz Dnia Pn Marca 31 2008, 16:51, Laszlo Attila Toth napisał(a):
Ming-Ching Tiew wrote:
admin@abp.pl wrote:
I'm using Squid Cache: Version 2.6.STABLE18
Is there posibility to use it as fully transprent proxy (with tproxy) but without bridging interfaces?
My topology:
[router 0]---[Internet] | | [===switch=======================] | | | [squid] [ router a ][ router b ] .....
to routers a,b... are connected clients. On that routers I have DNAT --to-destiation squid:80
On squid machine i have 2.6.25-rc7 kernel and Squid with patches from http://people.balabit.hu/panther/tproxy/.
The official site is http://www.balabit.com/downloads/files/tproxy/, any other address is used for development.
The latest squid patch, for version 3 is the following:
http://www.balabit.com/downloads/files/tproxy/tproxy-squid-3-20080401.patch
It is not yet finished (the outgoing packets have the squid's IP address and not the client's).
And: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 -on-port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
squid.conf: .. http_port 3128 transparent tproxy
In squid.conf use the following:
http_port 3128 tproxy
No more change is necessary (except ACL).
When I test this configuration webservers logs connection from clients from routers a,b... with ip of squid machine. So tproxy doesnt' work.
Can I fix it?
The patch doesn't resolve this problem yet, sorry.
PS. It's urgent for me, please help;) Regards, Tomasz
Well among all things you have at least gotten to patch the 2.6.25-rc7 kernel. Good ! That's a big step better than just ***STARE*** at the patch and refuse to use use it and then start asking all sorts of question about where is the correct patch !
:-)
... and for which kernel version. Earlier than 2.6.22 will not be supported. But I'm not sure which kernels are used because I have to backport tproxy for them.