TPROXY on ubuntu not working.
Hello Team, I am trying to configure and use TPROXY as given in the link. http://wiki.squid-cache.org/Features/Tproxy4 My setup includes : A Ubuntu machine with one Network card, but two IP addresses ( one of which is virtual or Alias) Real IP: 192.168.150. 10 -- ( interface to the internet) Virtual IP : 192.168.22.5 -- ( interface to the subnet 192.168.22.0/24) Both the IP's have the same MAC address. When the client( 192.168.22.10) sends connection request, its forwarded to the other port 50001 (Checked with the logs). But the proxy is not responding with SYN-ACK , as a result the connection is not established. I don't know about the internals of the TPROXY. Does it works with matching using IP address and port or with MAC address. Does TPROXY is not supported in this scenario? Best Regards, Yash
Hello Yash, ________________________________ From: yash cp <yashavanth.hsn@gmail.com> To: tproxy@lists.balabit.hu Sent: Tuesday, August 27, 2013 12:01 AM Subject: [tproxy] TPROXY on ubuntu not working.
Hello Team,
I am trying to configure and use TPROXY as given in the link. http://wiki.squid-cache.org/Features/Tproxy4
My setup includes : A Ubuntu machine with one Network card, but two IP addresses ( one of which is virtual or Alias)
Real IP: 192.168.150. 10 -- ( interface to the internet)
What do you mean by "Real"?
Virtual IP : 192.168.22.5 -- ( interface to the subnet 192.168.22.0/24)
By (Interface to the Internet), I suppose you mean that this private IP address will be NATed at another network device after the TPROXY. How about subnet 192.168.22.0/24? Is it NATed ? Why are you using two IP addresses on the TPROXY?
Both the IP's have the same MAC address.
When the client( 192.168.22.10) sends connection request, its forwarded to the other port 50001 (Checked with the logs).
But the proxy is not responding with SYN-ACK , as a result the connection is not established.
The TPROXY will spoof the IP addresses of clients on 192.168.22.0/24 subnet and I think (but I'm not sure) that TPROXY would send SYN-ACK to the original client, only after it receives SYN-ACK from the web server. Since this subnet is private, requests will not reach the web server unless you're doing NAT somewhere after the TPROXY. Please note that even if you're doing NAT, you must make sure that replies return back to the TPROXY rather than the original client.
I don't know about the internals of the TPROXY. Does it works with matching using IP address and port or with MAC address.
I could not get your question here!
Does TPROXY is not supported in this scenario? If you take care of the things I pointed out above, then it is, but I don't think you would need two IP addresses on the TPROXY. I recommend using WCCP though.
Best Regards, Yash
Best regards, Firas _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
Hello Firas, Thanks for your quick reply. 1. What do you mean by "Real"? Even though its an private IP address, it uses DHCP for getting the IP address.( Its not static or aliased) I am able to access the Internet from the proxy machine. 2. By (Interface to the Internet), I suppose you mean that this private IP address will be NATed at another network device after the TPROXY. How about subnet 192.168.22.0/24? Is it NATed ? Why are you using two IP addresses on the TPROXY? Yes, its NATed after TPROXY. 192.168.22.0/24 is not NATed. I am using two IP addresses, because I want to create a local network behind 192.168.150.10 machine. I suppose, without two IP addresses I cannot create a subnet. Please correct me if I am wrong. 3.The TPROXY will spoof the IP addresses of clients on 192.168.22.0/24subnet and I think (but I'm not sure) that TPROXY would send SYN-ACK to the original client, only after it receives SYN-ACK from the web server. Since this subnet is private, requests will not reach the web server unless you're doing NAT somewhere after the TPROXY. Please note that even if you're doing NAT, you must make sure that replies return back to the TPROXY rather than the original client. Well, I checked with my setup. After the SYN packet from the client is received. The TPROXY machine never responds to the original client or even never tries to send the SYN packet to the web server. Without using TPROXY, my setup with Iptables REDIRECT works fine. 4. I don't know about the internals of the TPROXY. Does it works with matching using IP address and port or with MAC address. I could not get your question here! What I meant here is, how does the TPROXY matches the packets. Since I am using the same MAC address for both the IP's. Will that be a problem? Best Regards, Yash
Hi Yash, ________________________________ From: yash cp <yashavanth.hsn@gmail.com> To: Firas Rasmy <firasrasmy@yahoo.com> Cc: "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu> Sent: Tuesday, August 27, 2013 9:05 AM Subject: Re: [tproxy] TPROXY on ubuntu not working.
Hello Firas,
Thanks for your quick reply.
1. What do you mean by "Real"? Even though its an private IP address, it uses DHCP for getting the IP address.( Its not static or aliased) I am able to access the Internet from the >proxy machine. I don't think this is called "real".
2.By (Interface to the Internet), I suppose you mean that this private IP address will be NATed at another network device after the TPROXY. How about subnet 192.168.22.0/24? Is it NATed ? Why are you using two IP addresses on the TPROXY?
Yes, its NATed after TPROXY. 192.168.22.0/24 is not NATed.
I am using two IP addresses, because I want to create a local network behind 192.168.150.10 machine. I suppose, without two IP addresses I cannot create a subnet. Please correct me if I am wrong.
Please note that TPROXY spoofs the IP addresses of its clients, so if the IP address of the client is neither public nor NATed, how would requests reach the intended web server? Since your clients have private IP addresses, perhaps you don't need a TPROXY in your case as one of the goals of TPROXY is maintaining the (I would say "public", though not necessarily) IP addresss of the client on the connection with the web server. So I think an interception proxy would be sufficient in your case. You mean you have two subnets behind the TPROXY? If this is the case then having two IP addresses on the interface is one way of doing that, but may not be the best way. I would suggest that you start with a simple topology (single subnet in your case). Once you have everything working properly, you may take it a step further.
3.The TPROXY will spoof the IP addresses of clients on 192.168.22.0/24 subnet and I think (but I'm not sure) that TPROXY would send SYN-ACK to the original client, only after it receives SYN-ACK from the web server. Since this subnet is private, requests will not reach the web server unless you're doing NAT somewhere after the TPROXY. Please note that even if you're doing NAT, you must make sure that replies return back to the TPROXY rather than the original client.
I verified that what I said in my previous email "TPROXY would send SYN-ACK to the original client, only after it receives SYN-ACK from the web server" is wrong, sorry for this! I tested it on my working TPROXY squid server and found out that squid immediately sends SYN-ACK to the client once it receives a SYN, even for destination IP addresses that are not listening to TCP port 80!
Well, I checked with my setup. After the SYN packet from the client is received. The TPROXY machine never responds to the original client or even never tries to send the SYN packet to the web server.
Without using TPROXY, my setup with Iptables REDIRECT works fine.
I would suggest using tcpdump and analyzing the traffic you capture to see what's really going on.
4. I don't know about the internals of the TPROXY. Does it works with matching using IP address and port or with MAC address.
I could not get your question here!
What I meant here is, how does the TPROXY matches the packets. Since I am using the same MAC address for both the IP's. Will that be a problem? If I understood you correctly, I don't think that using two IP addresses on one interface would conflict with how TPROXY works!
Regards, Firas
Best Regards,
Yash
Hey, In a case it's related in a way to squid you can pop by squid-users. I think you might get some more answers about it. Also this article can mabye sort couple things (if was not until now) http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2 Eliezer On 27/08/13 00:01, yash cp wrote:
Hello Team,
I am trying to configure and use TPROXY as given in the link. http://wiki.squid-cache.org/Features/Tproxy4
My setup includes : A Ubuntu machine with one Network card, but two IP addresses ( one of which is virtual or Alias)
Real IP: 192.168.150. 10 -- ( interface to the internet) Virtual IP : 192.168.22.5 -- ( interface to the subnet 192.168.22.0/24 <http://192.168.22.0/24>)
Both the IP's have the same MAC address.
When the client( 192.168.22.10) sends connection request, its forwarded to the other port 50001 (Checked with the logs). But the proxy is not responding with SYN-ACK , as a result the connection is not established.
I don't know about the internals of the TPROXY. Does it works with matching using IP address and port or with MAC address. Does TPROXY is not supported in this scenario?
Best Regards, Yash
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
On Sun, 2013-11-17 at 16:58 +0200, Eliezer Croitoru wrote:
Hey,
In a case it's related in a way to squid you can pop by squid-users. I think you might get some more answers about it.
Also this article can mabye sort couple things (if was not until now) http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
Eliezer
On 27/08/13 00:01, yash cp wrote:
Hello Team,
I am trying to configure and use TPROXY as given in the link. http://wiki.squid-cache.org/Features/Tproxy4
My setup includes : A Ubuntu machine with one Network card, but two IP addresses ( one of which is virtual or Alias)
Real IP: 192.168.150. 10 -- ( interface to the internet) Virtual IP : 192.168.22.5 -- ( interface to the subnet 192.168.22.0/24 <http://192.168.22.0/24>)
Both the IP's have the same MAC address.
When the client( 192.168.22.10) sends connection request, its forwarded to the other port 50001 (Checked with the logs). But the proxy is not responding with SYN-ACK , as a result the connection is not established.
I don't know about the internals of the TPROXY. Does it works with matching using IP address and port or with MAC address. Does TPROXY is not supported in this scenario?
it is not dependant on MAC addresses, as it's operating on L3/L4 and not below. squid must enable setsockopt(IP_TRANSPARENT) on its listener socket in order for the TPROXY destination to find its as a potential listener. Also, make sure that routing directs the response packet back to the same interface. Check that via tcpdump. -- Bazsi
Hey, Squid supports layer 2+tproxy(WCCP) and I have not got into the depth of this code yet but WCCP clearly states that it should work in L2 which is the mac address. There is the side of the TPROXY interception and the non-local ip:port binding. There are smart and managed switches that will not like more then one ip with the same exact MAC address.. (imagine 8096+++ IP addresses with the same exact mac for the same port on a smart switch with L3 inspection). Eliezer On 18/11/13 14:09, Balazs Scheidler wrote:
it is not dependant on MAC addresses, as it's operating on L3/L4 and not below.
squid must enable setsockopt(IP_TRANSPARENT) on its listener socket in order for the TPROXY destination to find its as a potential listener.
Also, make sure that routing directs the response packet back to the same interface. Check that via tcpdump.
participants (4)
-
Balazs Scheidler
-
Eliezer Croitoru
-
Firas Rasmy
-
yash cp