Hi, nantenaina Tianarivo wrote: > I have already tried to load the tproxy table with the tproxy_any > parameter as you describe because I have seen this in the archive but it > didn't solve the problem > Strange. It works for me with netcat: On 192.168.10.1 as in 4.0.3's README: echo 1 >/proc/sys/net/ipv4/ip_nonlocal_bind modprobe iptable_tproxy tproxy_any=1 nc -s 192.168.4.7 -p 55 192.168.10.2 678 On 192.168.10.2: ip route add 192.168.4.0/24 via 192.168.10.1 nc -lp 678 The TCP connection is established and data arrive to the other side as expected. > > On mer, 2008-02-20 at 11:45 +0100, Laszlo Attila Toth wrote: >> Hello, >> >> nantenaina Tianarivo írta: >> > Hello everybody, >> > >> > I am tring to make tproxy work with our squid but I have a problem with >> > the iptable to redirect traffic to squid now. >> > I have compiled a linux kernel 2.6.22.18 patched with >> > tproxy-4.0.3-2.6.22. and iptable 1.3.8. For squid, i'am using Version >> > 2.6.STABLE5. >> > I think my kernel is well compiled because I see all the tproxy module >> > loaded : >> > >> > proxy:/usr/src/linux# lsmod | grep -i proxy >> > xt_tproxy 1984 0 >> > xt_TPROXY 1984 1 >> > iptable_tproxy 6468 2 xt_TPROXY >> > ip_tables 12420 2 iptable_filter,iptable_tproxy >> > x_tables 14564 5 >> > ipt_LOG,xt_tcpudp,xt_tproxy,xt_TPROXY,ip_tables >> > >> > >> > My iptables rules is like this : >> > >> > iptables -t tproxy -A PREROUTING -p tcp -m tcp -i gre1 --dport 80 -j LOG >> > iptables -t tproxy -A PREROUTING -p tcp -m tcp -i gre1 --dport 80 -j >> > TPROXY --on-port 80 >> > >> > when I check it with tcpdump, I see traffic for http port on the gre1 >> > interface >> > >> > proxy:/usr/src/linux# tcpdump -n -i gre1 >> > tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to >> > cooked socket >> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> > listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes >> > 13:10:51.437856 IP 62.56.240.17.3200 > 84.16.80.10.80: . ack 3247536657 >> > win 2264 <nop,nop,timestamp 24199037 1582152> >> > 13:10:51.492666 IP 62.56.240.17.3199 > 84.16.80.10.80: . ack 3204902926 >> > win 3604 <nop,nop,timestamp 24199051 1582156> >> > 13:10:51.523999 IP 62.56.240.17.3198 > 84.16.80.10.80: . ack 3189913679 >> > win 16022 <nop,nop,timestamp 24199058 1582173> >> > >> > when I check it on access.log of my squid, my requests are actually sent >> > to the squid. >> > >> > But it is not the client ip which is sent to the Internet but the squid >> > box IP. >> > >> > when I issue iptables-save -c command to check if there are traffic that >> > enter my iptables rule, the counter so zero traffic. >> > >> > proxy:/usr/src/linux# iptables-save -t tproxy -c >> > # Generated by iptables-save v1.3.8 on Wed Feb 20 13:07:45 2008 >> > *tproxy >> > :PREROUTING ACCEPT [128:11992] >> > [0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j LOG >> > [0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j TPROXY --on-port >> > 80 --on-ip 0.0.0.0 >> > COMMIT >> > >> > even the LOG don't tell me anything about traffic in gre1 interfaces. >> > >> > what I see in the log is this error that appear from time to time: >> > >> > Feb 20 13:08:31 proxy squid[2353]: parseHttpRequest: NF >> > getsockopt(SO_ORIGINAL_DST) failed: (92) Protocol not available >> > Feb 20 13:08:31 proxy squid[2353]: tproxy >> > ip=62.56.240.17,0x11f0383e,port=0 ERROR ASSIGN >> >> It seems you want to use the squid with tproxy patch for tproxyv2 but >> you use tproxyv4. They are incompatible. The iptables commands are the >> same but the tproxy4 kernel code is different. >> >> When the squid uses tproxy-specific commands, there should be only one >> clall: set the socket option IP_FREEBIND, _or_ load the tproxy table >> with the tproxy_any parameter: >> >> modprobe iptable_tproxy tproxy_any=1 >>
|
-- nantenaina Tianarivo <rivo@gulfsat.mg> |