Hi, I have installed Tproxy patch on Fedora core 2.6.15.2 kernel. In lsmod I can see the following. ipt_TPROXY 2432 0 ipt_tproxy 2048 0 ipt_REDIRECT 2560 1 ip_conntrack_netbios_ns 3328 0 iptable_nat 7812 1 ip_nat 23340 2 ipt_REDIRECT,iptable_nat iptable_mangle 3200 0 ipt_REJECT 5760 1 ipt_state 2432 4 ip_conntrack 51416 4 ip_conntrack_netbios_ns,iptable_nat,ip_nat,ipt_state nfnetlink 6808 2 ip_nat,ip_conntrack iptable_filter 3328 1 ip_tables 19840 8 ipt_TPROXY,ipt_tproxy,ipt_REDIRECT,iptable_nat,iptable_mangle,ipt_REJECT,ipt_state,iptable_filter But when I try to put the redirection it gives the following error [root@cache netfilter]# iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 iptables v1.3.5: Unknown arg `--on-port' Pls. suggest. Regards Sunny
But when I try to put the redirection it gives the following error [root@cache netfilter]# iptables -t tproxy -A PREROUTING -i eth0 -p tcp
I am not sure this will work when eth0 has no IP address. In fact, you probably want -i br0 -m physdev --physdev-in eth0.8 or --physdev-in eth0.
-m tcp
You do not need -m tcp.
--dport 80 -j TPROXY --on-port 80 iptables v1.3.5: Unknown arg `--on-port'
Works for me. You probably do not have TPROXY support in iptables. Jan Engelhardt --
Had configured and patched the kernel as per the instructions given in the INSTALL file.
The system is not working in bridge mode, so cannot use br0.
Sorry I mixed that up.
Going by the instructions from other users this was the only only iptables command to be used.
Yes, but your "iptables" binary does not know TPROXY. Your kernel may have it, but your iptables does not. Check existence of /usr/lib/iptables/libipt_TPROXY.so and /usr/lib/iptables/libipt_tproxy.so Jan Engelhardt --
Thanks Jan. I was able to apply the iptables command after that.
Am trying to use tproxy with squid. But it seems that whenever I try to run both tproxy and squid together, the traffic from my router is not
When using squid, you must set the "tcp_outgoing_address" to some ip address. I can't really tell which one works or which ones don't, fact is - with the bridge address, it works - with the address en route upstream, it should work - with 127.0.0.1, it should not work (I guess) - any other I have not tried En route upstream means: eth0 134.76.13.21/24 eth1 192.168.222.1/24 default gw 134.76.13.254 Then the en-route upstream address is the one on eth0. It might work with 192.168.222.1 too, you gotta try.
being forwarded to the cache server. But after rebooting the system and not applying tproxy everything works well.
Jan Engelhardt --
Jan,
Am running the cache server with only one eth interface having a Public IP address i.e. eth0.
You need at least two interfaces to get any form of SNAT working reasonably. (but see below)
There is no bridge interface.
So, if my interface ip address is 192.168.1.1 should the tcp_outgoing _address be 192.168.1.1.
Yes.
Since all the configuration looks ok now and iptables is accepting the command
iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80
This is just DNAT, it will work as intended.
could the outgoing address be the only issue?
'tproxy on' in squid.conf, of course :)
Will check and confirm if it works with that.
Jan Engelhardt --
1. tcp_outgoing_address <ip address of the cache server> 2. http_port 3128 tproxy
tproxy is a separate option. Provided that you actually patched squid to include tproxy support.
3. iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80
--on-port 3128
Tried changing the proxy port to 80 and 3128 but no luck.
Jan Engelhardt --
participants (2)
-
Jan Engelhardt
-
Sunil K.P.