Thanks a lot Chinmay and Eliezer,

I think the comments on the iptables rules in http://wiki.squid-cache.org/Features/Tproxy4 are a bit confusing!

Best regards,

Firas

From: Chinmay Mahata <chinmay_mahata@rediffmail.com>
To: Firas Rasmy <firasrasmy@yahoo.com>
Cc: "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu>
Sent: Friday, July 5, 2013 2:13 PM
Subject: Re: [tproxy] Squid with TProxy Support

Hi Firas,
Your understanding is absolutely correct.

Regards,
--Chinmay

From: Firas Rasmy <firasrasmy@yahoo.com>
Sent: Wed, 03 Jul 2013 04:34:02
To: "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu>
Subject: Re: [tproxy] Squid with TProxy Support

Thanks a lot for your reply Eliezer!

I have another question here regarding the following iptables rules, which are needed to get TPROXY to work:

iptables -t mangle -N DIVERT

iptables -t mangle -A DIVERT -j MARK --set-mark 1

iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

What is "-m socket" used for? Man page of iptables says that "-m socket" matches if an open socket can be found by doing a socket lookup on the packet. I think the following rule is intended for reply packets coming from web servers to squid (with the spoofed IP address), am I right? If not, please correct me:

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

Best regards,

Firas

From: Eliezer Croitoru <eliezer@ngtech.co.il>
To: tproxy@lists.balabit.hu
Sent: Monday, July 1, 2013 11:00 PM
Subject: Re: [tproxy] Squid with TProxy Support

Centos comes with TPROXY so you don't need to recompile or do anything
more then to bundled kernel from CentOS.
Take a small peek at this tutorial:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
The tutorial have all the working examples that are needed for tproxy
with squid.

If you will need more help you can try squid-users.

Eliezer

On 07/01/2013 09:37 PM, Firas Rasmy wrote:
> Hello there!
>
> I'm trying to install squid with TPROXY support. I'm using a Centos 6.4
> (64-bit) with kernel version 2.6.32-358.el6.x86_64 and iptables version
> 4.1.7
>
> I've followed the instructions in
> http://wiki.squid-cache.org/Features/Tproxy4 but unfortunately
> connecting to any website from a client with Chrome browser fails with
> this error:
> Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection
> without sending any data.
>
> When trying to telnet squid on port 80, I get a connection but the
> connection is closed once I hit any key! I think packets are being
> redirected to squid successfully because if I stop squid, there would be
> no connections at all. Do you have any idea of what might be the reason?
>
> Another question, I have checked that my current kernel was already
> built with those options:
> NF_CONNTRACK=m
> NETFILTER_TPROXY=m
> NETFILTER_XT_MATCH_SOCKET=m
> NETFILTER_XT_TARGET_TPROXY=m
>
> Do I still have to recompile it with patches from
> http://www.balabit.com/downloads/files/tproxy/?
> There are no patches available for this current version. What about
> iptables? Do I need to patch it?
>
> My last question is: TPROXY target in the mangle table is not supposed
> to change anything in the packet header, how the packets with TPROXY
> target would be redirected to --on-port if the IP header is untouched?!
>
> Thanks a lot for your help!
>
> Best regards,
> Firas
>
>
> _______________________________________________
> tproxy mailing list
> tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>

_______________________________________________
tproxy mailing list
tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy

_______________________________________________
tproxy mailing list
tproxy@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy

Get your own FREE website and domain with business email solutions, click here