Squid 3.1 + Tproxy 4.1 in Bridge Mode
Hello! First of all, thanks for your effort and great work in providing the Open Source community with this software. I've beeing using TPROXY with Squid 3.1 and 2.6 kernel for sometime in Layer-3/routed firewalls without problems at all. Today, I'm trying to use it in a Bridged firewall, with kernel 2.6.30 (patches with L7-filter only), iptables-1.4.3.2 and squid-3.1.0.8-20090610. The Linux distribution is Slackware 12.2 with gcc 4.3.3 and libcap 2.14. In the kernel, I have configured: CONFIG_SECURITY_FILE_CAPABILITIES CONFIG_NETFILTER_TPROXY CONFIG_NETFILTER_XT_TARGET_TPROXY CONFIG_NETFILTER_XT_MATCH_SOCKET NF_CONNTRACK My bridge interface (br0) is eth0 (Internet) + eth1 (Intranet) and the br0 virtual interface have a routed IP. The bridge is located between the user's switch and the Internet router. SQUID was compiled with these options: Squid Cache: Version 3.1.0.8-20090610 configure options: '--enable-linux-netfilter' '--enable-http-violations' '--enable-async-io=8' '--enable-useragent-log' '--enable-cache-digests' '--enable-follow-x-forwarded-for' '--enable-storeio=aufs' '--enable-removal-policies=heap,lru' '--with-maxfd=16384' '--enable-poll' '--with-filedescriptors=16384' '--disable-ident-lookups' '--enable-zph-qos' '--enable-truncate' '--with-pthreads' '--with-large-files' '--enable-ssl' '--with-openssl=/usr/include/openssl/' '--disable-htcp' '--enable-inline' '--enable-delay-pools' '--enable-underscores' '--enable-icap-client' '--with-default-user=squid' '--enable-ltdl-convenience' 'CFLAGS=-march=core2 -O3 -pipe -fomit-frame-pointer -DNUMTHREADS=60 -funroll-loops -mfpmath=sse -ffast-math -fno-exceptions' 'CXXFLAGS=' --with-squid=/home/sources/SQUID/squid-3.1.0.8-20090610 And in squid.conf, I have the important: http_port 3128 http_port 3129 tproxy I'm using the same rules as I use in the other server: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 echo 1 > /proc/sys/net/ipv4/ip_forward The users can surf the Internet, but they are not redirected to the proxy. The same configuration works in other 3 servers, but routed. I did a lot of research in google and Tproxy related lists, and saw that other friends are having the same problem, but I could not read any post with a solution. I tried a lot of combinations with ebtables, physdev iptables modules and etc, but if you could point me the right direction, I would apreciate very much! Do I have to go back to the tproxy2 when using Bridge mode? Thank you very much for your time and attention! If I forgot any important information, please let me know! Thanks!!
Hi, renato@univem.edu.br wrote:
Hello!
First of all, thanks for your effort and great work in providing the Open Source community with this software. I've beeing using TPROXY with Squid 3.1 and 2.6 kernel for sometime in Layer-3/routed firewalls without problems at all. Today, I'm trying to use it in a Bridged firewall, with kernel 2.6.30 (patches with L7-filter only), iptables-1.4.3.2 and squid-3.1.0.8-20090610. The Linux distribution is Slackware 12.2 with gcc 4.3.3 and libcap 2.14.
In the kernel, I have configured:
CONFIG_SECURITY_FILE_CAPABILITIES CONFIG_NETFILTER_TPROXY CONFIG_NETFILTER_XT_TARGET_TPROXY CONFIG_NETFILTER_XT_MATCH_SOCKET NF_CONNTRACK
My bridge interface (br0) is eth0 (Internet) + eth1 (Intranet) and the br0 virtual interface have a routed IP. The bridge is located between the user's switch and the Internet router.
SQUID was compiled with these options:
Squid Cache: Version 3.1.0.8-20090610 configure options: '--enable-linux-netfilter' '--enable-http-violations' '--enable-async-io=8' '--enable-useragent-log' '--enable-cache-digests' '--enable-follow-x-forwarded-for' '--enable-storeio=aufs' '--enable-removal-policies=heap,lru' '--with-maxfd=16384' '--enable-poll' '--with-filedescriptors=16384' '--disable-ident-lookups' '--enable-zph-qos' '--enable-truncate' '--with-pthreads' '--with-large-files' '--enable-ssl' '--with-openssl=/usr/include/openssl/' '--disable-htcp' '--enable-inline' '--enable-delay-pools' '--enable-underscores' '--enable-icap-client' '--with-default-user=squid' '--enable-ltdl-convenience' 'CFLAGS=-march=core2 -O3 -pipe -fomit-frame-pointer -DNUMTHREADS=60 -funroll-loops -mfpmath=sse -ffast-math -fno-exceptions' 'CXXFLAGS=' --with-squid=/home/sources/SQUID/squid-3.1.0.8-20090610
And in squid.conf, I have the important:
http_port 3128 http_port 3129 tproxy
I'm using the same rules as I use in the other server:
iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_forward
The users can surf the Internet, but they are not redirected to the proxy. The same configuration works in other 3 servers, but routed. I did a lot of research in google and Tproxy related lists, and saw that other friends are having the same problem, but I could not read any post with a solution. I tried a lot of combinations with ebtables, physdev iptables modules and etc, but if you could point me the right direction, I would apreciate very much!
IIRC the following commands solve this problem: ebtables -t broute -A BROUTING -i eth0 -p ipv4 \ --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i -- Attila
Hello, Attila! Thanks for your fast reply! My users are now all beeing redirected to the proxy and surfing. I just needed to change the interface of the ebtables from eth0 to eth1, as my "LAN" is connected to the eth1 interface and Internet to the eth0. The only strange thing is that squid is not caching anything, everything is beeing "RELEASED" in cache.log, but I'm sure it's a squid configuration issue, not TPROXY... I'll try to pass this information forward to the ppl I read in several forums asking about TPROXY and bridging mode. You made my day! Thanks again!!
Hi,
renato@univem.edu.br wrote:
Hello!
First of all, thanks for your effort and great work in providing the Open Source community with this software. I've beeing using TPROXY with Squid 3.1 and 2.6 kernel for sometime in Layer-3/routed firewalls without problems at all. Today, I'm trying to use it in a Bridged firewall, with kernel 2.6.30 (patches with L7-filter only), iptables-1.4.3.2 and squid-3.1.0.8-20090610. The Linux distribution is Slackware 12.2 with gcc 4.3.3 and libcap 2.14.
In the kernel, I have configured:
CONFIG_SECURITY_FILE_CAPABILITIES CONFIG_NETFILTER_TPROXY CONFIG_NETFILTER_XT_TARGET_TPROXY CONFIG_NETFILTER_XT_MATCH_SOCKET NF_CONNTRACK
My bridge interface (br0) is eth0 (Internet) + eth1 (Intranet) and the br0 virtual interface have a routed IP. The bridge is located between the user's switch and the Internet router.
SQUID was compiled with these options:
Squid Cache: Version 3.1.0.8-20090610 configure options: '--enable-linux-netfilter' '--enable-http-violations' '--enable-async-io=8' '--enable-useragent-log' '--enable-cache-digests' '--enable-follow-x-forwarded-for' '--enable-storeio=aufs' '--enable-removal-policies=heap,lru' '--with-maxfd=16384' '--enable-poll' '--with-filedescriptors=16384' '--disable-ident-lookups' '--enable-zph-qos' '--enable-truncate' '--with-pthreads' '--with-large-files' '--enable-ssl' '--with-openssl=/usr/include/openssl/' '--disable-htcp' '--enable-inline' '--enable-delay-pools' '--enable-underscores' '--enable-icap-client' '--with-default-user=squid' '--enable-ltdl-convenience' 'CFLAGS=-march=core2 -O3 -pipe -fomit-frame-pointer -DNUMTHREADS=60 -funroll-loops -mfpmath=sse -ffast-math -fno-exceptions' 'CXXFLAGS=' --with-squid=/home/sources/SQUID/squid-3.1.0.8-20090610
And in squid.conf, I have the important:
http_port 3128 http_port 3129 tproxy
I'm using the same rules as I use in the other server:
iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_forward
The users can surf the Internet, but they are not redirected to the proxy. The same configuration works in other 3 servers, but routed. I did a lot of research in google and Tproxy related lists, and saw that other friends are having the same problem, but I could not read any post with a solution. I tried a lot of combinations with ebtables, physdev iptables modules and etc, but if you could point me the right direction, I would apreciate very much!
IIRC the following commands solve this problem:
ebtables -t broute -A BROUTING -i eth0 -p ipv4 \ --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i
-- Attila
Ok, friends, just to let it in the list's archives for other ppl with the same prolem, to run the TPROXY v4 with the last kernel and last squid 3.1, considering a br0 bridge with eth0 for the Internet and eth1 for the users/LAN/Intranet, you need to follow the instructions in the documentation and, for the rules, use: ----------- ebtables -t broute -I BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 echo 1 > /proc/sys/net/ipv4/ip_forward ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i ip ro flu ca ------------------------------ Works like a charm!! Thank you very much Attila and Tproxy guys, you're just great!
Hello, Attila!
Thanks for your fast reply! My users are now all beeing redirected to the proxy and surfing. I just needed to change the interface of the ebtables from eth0 to eth1, as my "LAN" is connected to the eth1 interface and Internet to the eth0. The only strange thing is that squid is not caching anything, everything is beeing "RELEASED" in cache.log, but I'm sure it's a squid configuration issue, not TPROXY...
I'll try to pass this information forward to the ppl I read in several forums asking about TPROXY and bridging mode.
You made my day! Thanks again!!
Hi,
renato@univem.edu.br wrote:
Hello!
First of all, thanks for your effort and great work in providing the Open Source community with this software. I've beeing using TPROXY with Squid 3.1 and 2.6 kernel for sometime in Layer-3/routed firewalls without problems at all. Today, I'm trying to use it in a Bridged firewall, with kernel 2.6.30 (patches with L7-filter only), iptables-1.4.3.2 and squid-3.1.0.8-20090610. The Linux distribution is Slackware 12.2 with gcc 4.3.3 and libcap 2.14.
In the kernel, I have configured:
CONFIG_SECURITY_FILE_CAPABILITIES CONFIG_NETFILTER_TPROXY CONFIG_NETFILTER_XT_TARGET_TPROXY CONFIG_NETFILTER_XT_MATCH_SOCKET NF_CONNTRACK
My bridge interface (br0) is eth0 (Internet) + eth1 (Intranet) and the br0 virtual interface have a routed IP. The bridge is located between the user's switch and the Internet router.
SQUID was compiled with these options:
Squid Cache: Version 3.1.0.8-20090610 configure options: '--enable-linux-netfilter' '--enable-http-violations' '--enable-async-io=8' '--enable-useragent-log' '--enable-cache-digests' '--enable-follow-x-forwarded-for' '--enable-storeio=aufs' '--enable-removal-policies=heap,lru' '--with-maxfd=16384' '--enable-poll' '--with-filedescriptors=16384' '--disable-ident-lookups' '--enable-zph-qos' '--enable-truncate' '--with-pthreads' '--with-large-files' '--enable-ssl' '--with-openssl=/usr/include/openssl/' '--disable-htcp' '--enable-inline' '--enable-delay-pools' '--enable-underscores' '--enable-icap-client' '--with-default-user=squid' '--enable-ltdl-convenience' 'CFLAGS=-march=core2 -O3 -pipe -fomit-frame-pointer -DNUMTHREADS=60 -funroll-loops -mfpmath=sse -ffast-math -fno-exceptions' 'CXXFLAGS=' --with-squid=/home/sources/SQUID/squid-3.1.0.8-20090610
And in squid.conf, I have the important:
http_port 3128 http_port 3129 tproxy
I'm using the same rules as I use in the other server:
iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_forward
The users can surf the Internet, but they are not redirected to the proxy. The same configuration works in other 3 servers, but routed. I did a lot of research in google and Tproxy related lists, and saw that other friends are having the same problem, but I could not read any post with a solution. I tried a lot of combinations with ebtables, physdev iptables modules and etc, but if you could point me the right direction, I would apreciate very much!
IIRC the following commands solve this problem:
ebtables -t broute -A BROUTING -i eth0 -p ipv4 \ --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i
-- Attila
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
Hi, On cs, jún 11, 2009 at 03:49:39 -0300, renato@univem.edu.br wrote:
Ok, friends, just to let it in the list's archives for other ppl with the same prolem, to run the TPROXY v4 with the last kernel and last squid 3.1, considering a br0 bridge with eth0 for the Internet and eth1 for the users/LAN/Intranet, you need to follow the instructions in the documentation and, for the rules, use:
----------- ebtables -t broute -I BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 echo 1 > /proc/sys/net/ipv4/ip_forward ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i
ip ro flu ca
------------------------------
Works like a charm!!
Thanks for the nice summary. We'll try and include the bridging-related parts in the kernel documentation. -- KOVACS Krisztian
participants (3)
-
KOVACS Krisztian
-
Laszlo Attila Toth
-
renato@univem.edu.br