Re: [tproxy] TPROXY but without bridging?
Hi Dnia Pn Marca 31 2008, 16:51, Laszlo Attila Toth napisał(a):
Ming-Ching Tiew wrote:
admin@abp.pl wrote:
I'm using Squid Cache: Version 2.6.STABLE18
Is there posibility to use it as fully transprent proxy (with tproxy) but without bridging interfaces?
My topology:
[router 0]---[Internet] | | [===switch=======================] | | | [squid] [ router a ][ router b ] .....
to routers a,b... are connected clients. On that routers I have DNAT --to-destiation squid:80
On squid machine i have 2.6.25-rc7 kernel and Squid with patches from http://people.balabit.hu/panther/tproxy/.
The official site is http://www.balabit.com/downloads/files/tproxy/, any other address is used for development.
The latest squid patch, for version 3 is the following:
http://www.balabit.com/downloads/files/tproxy/tproxy-squid-3-20080401.patch
It is not yet finished (the outgoing packets have the squid's IP address and not the client's).
But this patch "tproxy-squid-2.6-STABLE18.20080304-110716-1204625236.patch" isn't working correct? I don't want squid3. I need only one feature, transparent squid with outgoing traffic with client IP addresses.
And: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 -on-port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
squid.conf: .. http_port 3128 transparent tproxy
In squid.conf use the following:
http_port 3128 tproxy
No more change is necessary (except ACL).
When I test this configuration webservers logs connection from clients from routers a,b... with ip of squid machine. So tproxy doesnt' work.
Can I fix it?
The patch doesn't resolve this problem yet, sorry.
:/ So there is no way to transparent proxy clients request on squid 2.6 and kernels above 2.6.22?
PS. It's urgent for me, please help;) Regards, Tomasz
Well among all things you have at least gotten to patch the 2.6.25-rc7 kernel. Good ! That's a big step better than just ***STARE*** at the patch and refuse to use use it and then start asking all sorts of question about where is the correct patch !
:-)
... and for which kernel version. Earlier than 2.6.22 will not be supported. But I'm not sure which kernels are used because I have to backport tproxy for them.
I need kernel newer then 2.6.22, Squid 2.6-stable18 and tproxy-X with full transparent traffic through squid. Regards, -- Tomasz
participants (1)
-
admin@abp.pl