From p_mdriyaz@fastmail.fm Fri Apr 1 09:48:03 2005 From: p_mdriyaz@fastmail.fm (Mohammed Riyaz) Date: Fri, 01 Apr 2005 14:18:03 +0530 Subject: [tproxy] Reg installing tproxy Message-ID: <1112345283.1577.230874571@webmail.messagingengine.com> Hi, I was looking through the trpoxy read me file and came across To apply all patches except the 04-nat_delete: cd /usr/src/linux for i in /patch_tree/0{0,1,2,3}*.diff; do cat $i | patch -p1; done then enable conntrack, nat and tproxy support in your kernel config. i looked through the .config file but could not find either of these three (conntrack, nat and tproxy). Could you please tell me what the above statement means. I am trying to setup squid transparent to both the server and client. Thank you, Mohammed Riyaz P. From Karthika_Rallabandi@satyam.com Mon Apr 4 08:11:24 2005 From: Karthika_Rallabandi@satyam.com (Karthika_Rallabandi) Date: Mon, 4 Apr 2005 12:41:24 +0530 Subject: [tproxy] Unable to insmod Message-ID: <3D9FDCA910DD4445896A0BE5ECF009D4032FFA54@bla.satyam.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C538E5.82DA1A08 Content-Type: text/plain Hi, I just started using tproxy. I am still in the understanding phase of this module. I have a small doubt.. following all the steps in the readme file.. I am at a stage of inserting iptables_tproxy.o module . Its exiting with the following error. Iptables_tproxy.o : couldn't find the kernel version it is compiled for. I am running linux.2.4.24 version & had taken the same setup file . I know that the first option that comes into anyones' mind about this error , is the version of linux under which I am running. But I have checked it using ' uname -r' and it says " 2.4.24 " What could be the problem?? Could you please look into this as soon as possible. Regards, Karthika. ************************************************************************** This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated. ************************************************************************** ------_=_NextPart_001_01C538E5.82DA1A08 Content-Type: text/html Content-Transfer-Encoding: quoted-printable

Hi,

= ; I just started using tproxy. I am still in the understanding phase of = this module.

I have a small doubt.. following all the steps in = the readme file.. I am at a stage of inserting iptables_tproxy.o module = .

Its exiting with the following error. =

Iptables_tproxy.o : couldn’t find the kernel = version it is compiled for.

I am running linux.2.4.24 version & had taken = the same setup file .

I know that the first option that comes into = anyones’ mind about this error , is the version of linux under which I am = running.

But I have checked it using ‘ uname = –r’ and it says “ 2.4.24 “

What could be the problem?? =

Could you please look into this as soon as = possible.

Regards,

Karthika.<= /span>

*********************************************************= *****************

This email (including any attachments) = is intended for the sole use of the intended recipient/s and may = contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. = Any review or reliance by others or copying or distribution or = forwarding of any or all of the contents in this message is STRICTLY = PROHIBITED. If you are not the intended recipient, please contact the = sender by email and delete all copies; your cooperation in this regard = is appreciated.

*********************************************************= *****************

------_=_NextPart_001_01C538E5.82DA1A08-- From Karthika_Rallabandi@satyam.com Tue Apr 5 14:20:03 2005 From: Karthika_Rallabandi@satyam.com (Karthika_Rallabandi) Date: Tue, 5 Apr 2005 18:50:03 +0530 Subject: [tproxy] Tproxy Problem Message-ID: <3D9FDCA910DD4445896A0BE5ECF009D40339EA19@bla.satyam.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C539E2.2D342974 Content-Type: text/plain hi, I am working on transparent proxy from code downloaded from link http://www.balabit.com/products/oss/tproxy . I applied all the patches as given in README. But when I run iptables -t tproxy -A PREROUTING -j TPROXY --on-port 9999 it is giving following error. "iptables v1.2.7a: Unknown arg `--on-port'". The following are the options I selected in make menuconfig. [*] Network packet filtering (replaces ipchains) <*> Unix domain sockets [*] TCP/IP networking [*] IP: multicasting IP: Netfilter Configuration ---> <*> Connection tracking (required for masq/NAT) <*> IP tables support (required for filtering/masq/NAT) < > Packet filtering <*> Full NAT < > MASQUERADE target support <*> REDIRECT target support [ ] NAT of local connections (READ HELP) Transparent proxying TPROXY target support tproxy match support ARP tables support If anybody is working on this Plz help me. Thanks in advance for help. Regards, Karthika. ************************************************************************** This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated. ************************************************************************** ------_=_NextPart_001_01C539E2.2D342974 Content-Type: text/html Content-Transfer-Encoding: quoted-printable

hi,

I am working on = transparent proxy from code downloaded from link http://www.balabit.c= om/products/oss/tproxy.

I applied all the patches = as given in README. But when I run iptables -t tproxy -A PREROUTING -j TPROXY = --on-port

9999

it is giving following = error.

"iptables v1.2.7a: = Unknown arg `--on-port'".

The following are the = options I selected in make menuconfig.

[*] Network packet = filtering (replaces ipchains)

<*> Unix = domain sockets

[*] TCP/IP = networking

[*] IP: = multicasting

IP: Netfilter = Configuration --->

&nb= sp; <*> Connection tracking (required for

masq/NAT)=

&nb= sp; <*> IP tables support (required for

filtering/masq/NAT)

&nb= sp; < > Packet filtering

&nb= sp; <*> Full = NAT

&nb= sp; < > MASQUERADE target support

&nb= sp; <*> REDIRECT target support

&nb= sp; [ ] NAT of local connections (READ HELP)

&nb= sp; <M> Transparent proxying

&nb= sp; <M> TPROXY target support

&nb= sp; <M> tproxy match support

&nb= sp; <M> ARP tables support

If anybody is working on = this Plz help me.

Thanks in advance for = help.

Regards,

Karthika.

*********************************************************= *****************

------_=_NextPart_001_01C539E2.2D342974-- From hidden@balabit.hu Tue Apr 5 14:25:18 2005 From: hidden@balabit.hu (KOVACS Krisztian) Date: Tue, 05 Apr 2005 15:25:18 +0200 Subject: [tproxy] Tproxy Problem In-Reply-To: <3D9FDCA910DD4445896A0BE5ECF009D40339EA19@bla.satyam.com> References: <3D9FDCA910DD4445896A0BE5ECF009D40339EA19@bla.satyam.com> Message-ID: <1112707518.9637.1.camel@nienna.balabit> Hi, 2005-04-05, k keltez�ssel 18.50-kor Karthika_Rallabandi ezt �rta: > I applied all the patches as given in README. But when I run iptables > -t tproxy -A PREROUTING -j TPROXY --on-port > > 9999 > > it is giving following error. > > "iptables v1.2.7a: Unknown arg `--on-port'". Did you apply the patch for iptables (the user-space part) as well? Could you check if you have the libipt_TPROXY.so loadable module in the iptables module directory (/lib/iptables by default)? -- Regards, Krisztian Kovacs From packetbl@allofmy.info Tue Apr 5 14:18:25 2005 From: packetbl@allofmy.info (Wayne Smith) Date: Tue, 5 Apr 2005 09:18:25 -0400 Subject: [tproxy] squid, cttproxy, and a redirector script Message-ID: <200504050918.AA866582670@allofmy.info> I'm not sure what the best list for this issue is, so I'm starting here. If I got it wrong, please point me in the right direction after your done flaming ;) Background: ---------------- Fedora FC2 box, kernel 2.6.10 with AC and tproxy patches applied Squid 2.5 Stable 5, transparent proxy patch applied. ebtables and iptables All the above is working just fine and transparent redirection is happening without issue. The origin webserver sees the IP address of the client and life is pretty happy. Upon noticing that Microsoft is making it, shall we say hard?, to cache windowsupdates, I stumbled across http://www.glob.com.au/windowsupdate_cache/ It's a set of three perl scripts. It basically will wget a windows patch, store it on a local server, and then in the future rewrite the requests from squid so that the content is pulled locally. redir.pl does the redirection part. redir.pl is working and kicks out the right URL /usr/local/bin/redir.pl download.microsoft.com/download/1/2/a/12a31f29-2fa9-4f50-b95d-e45ef7013f87/MP10Setup.exe 192.168.1.1 bob GET get's rewrote to http://127.0.0.1/cache/store/download.microsoft.com/download/1/2/a/12a31f29-2fa9-4f50-b95d-e45ef7013f87/MP10Setup.exe The problem is the file never comes down. I've also tried redir.pl rewriting the URI to use the boxes legitimate IP. Same thing. Eventually you get the squid timeout. the ebtables and iptables rules in use --------------------------------------- ebtables -t broute -A BROUTING -i eth1 -p IPv4 --ip-protocol 6 --ip-destination-port 80 --ip-source $1 --ip-destination ! x.x.x.0/24 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -s $1 -d ! x.x.x.0/24 -j REDIRECT --to-port 3128 Pretty straight forward... if it's IP and destined for TCP port 80, let IPTABLES see it (unless it's aimed for a local network). Iptables takes it and ships it to port 3128 for squid to party. This is working great for 'just' going through the proxy and hitting remote webservers. While working on getting the redirector script and everything to work, I was for some reason able to push a few files out (not sure how in testing they got wedged into working). Here's where 2003 sp1 gets redirected and pulled redir.pl's log --------------- [Tue Apr 5 09:00:32 2005] cachehit 345322744 download.microsoft.com/download/1/2/7/127c5938-d36a-4405-9df1-f00d57495652/WindowsServer2003-KB889101-SP1-x86-ENU.exe tethereal -i lo -------------------- Capturing on lo 0.000000 127.0.0.1 -> 127.0.0.1 TCP 46624 > 46623 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=147 TSV=2861348298 TSER=2858781735 0.016805 127.0.0.1 -> 127.0.0.1 TCP 46623 > 46624 [PSH, ACK] Seq=0 Ack=147 Win=8192 Len=147 TSV=2861348315 TSER=2861348298 0.016830 127.0.0.1 -> 127.0.0.1 TCP 46624 > 46623 [ACK] Seq=147 Ack=147 Win=8192 Len=0 TSV=2861348315 TSER=2861348315 and the file comes down at a health 7 MB/second. Here's the same info with the process breaking. In this case, a copy of Media Player 10 0.000000 127.0.0.1 -> 127.0.0.1 TCP 46624 > 46623 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=118 TSV=2861551908 TSER=2861348315 0.000357 127.0.0.1 -> 127.0.0.1 TCP 46623 > 46624 [PSH, ACK] Seq=0 Ack=118 Win=8192 Len=118 TSV=2861551909 TSER=2861551908 0.000378 127.0.0.1 -> 127.0.0.1 TCP 46624 > 46623 [ACK] Seq=118 Ack=118 Win=8192 Len=0 TSV=2861551909 TSER=2861551909 0.000656 x.x.x.98 -> 127.0.0.1 TCP 56643 > http [SYN] Seq=0 Ack=0 Win=32767 Len=0 MSS=16396 TSV=2861551909 TSER=0 WS=2 3.000252 x.x.x.98 -> 127.0.0.1 TCP 56643 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861554909 TSER=0 WS=2 8.999440 x.x.x.98 -> 127.0.0.1 TCP 56643 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861560909 TSER=0 WS=2 20.997818 x.x.x.98 -> 127.0.0.1 TCP 56643 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861572909 TSER=0 WS=2 44.993570 x.x.x.98 -> 127.0.0.1 TCP 56643 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861596909 TSER=0 WS=2 59.107596 x.x.x.98 -> 127.0.0.1 TCP 57640 > http [SYN] Seq=0 Ack=0 Win=32767 Len=0 MSS=16396 TSV=2861611025 TSER=0 WS=2 62.107252 x.x.x.98 -> 127.0.0.1 TCP 57640 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861614025 TSER=0 WS=2 68.106443 x.x.x.98 -> 127.0.0.1 TCP 57640 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861620025 TSER=0 WS=2 80.104816 x.x.x.98 -> 127.0.0.1 TCP 57640 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861632025 TSER=0 WS=2 104.100569 x.x.x.98 -> 127.0.0.1 TCP 57640 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861656025 TSER=0 WS=2 119.118652 x.x.x.98 -> 127.0.0.1 TCP 58643 > http [SYN] Seq=0 Ack=0 Win=32767 Len=0 MSS=16396 TSV=2861671045 TSER=0 WS=2 122.118137 x.x.x.98 -> 127.0.0.1 TCP 58643 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861674045 TSER=0 WS=2 128.117322 x.x.x.98 -> 127.0.0.1 TCP 58643 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861680045 TSER=0 WS=2 140.115697 x.x.x.98 -> 127.0.0.1 TCP 58643 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861692045 TSER=0 WS=2 164.111456 x.x.x.98 -> 127.0.0.1 TCP 58643 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2861716045 TSER=0 WS=2 redir.pl's log entry [Tue Apr 5 09:03:55 2005] cachehit 12754672 download.microsoft.com/download/1/2/a/12a31f29-2fa9-4f50-b95d-e45ef7013f87/MP10Setup.exe Squid's error "ERROR The requested URL could not be retrieved -------------------------------------------------------------------------------- While trying to retrieve the URL: http://127.0.0.1/cache/store/download.microsoft.com/download/1/2/a/12a31f29-2fa9-4f50-b95d-e45ef7013f87/MP10Setup.exe The following error was encountered: Connection Failed The system returned: (110) Connection timed out" here's that same failed request with the redir.pl giving the external IP tethereal -i lo Capturing on lo 0.000000 127.0.0.1 -> 127.0.0.1 TCP 37898 > 37897 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=118 TSV=2862173433 TSER=2862151017 0.001160 127.0.0.1 -> 127.0.0.1 TCP 37897 > 37898 [ACK] Seq=0 Ack=118 Win=8192 Len=0 TSV=2862173434 TSER=2862173433 0.001559 127.0.0.1 -> 127.0.0.1 TCP 37897 > 37898 [PSH, ACK] Seq=0 Ack=118 Win=8192 Len=121 TSV=2862173434 TSER=2862173433 0.001569 127.0.0.1 -> 127.0.0.1 TCP 37898 > 37897 [ACK] Seq=118 Ack=121 Win=8192 Len=0 TSV=2862173434 TSER=2862173434 0.001950 x.x.x.98 -> x.x.y.7 TCP 38323 > http [SYN] Seq=0 Ack=0 Win=32767 Len=0 MSS=16396 TSV=2862173435 TSER=0 WS=2 3.002299 x.x.x.98 -> x.x.y.7 TCP 38323 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2862176435 TSER=0 WS=2 9.001486 x.x.x.98 -> x.x.y.7 TCP 38323 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2862182435 TSER=0 WS=2 20.998860 x.x.x.98 -> x.x.y.7 TCP 38323 > http [SYN] Seq=0 Ack=0 Win=131068 Len=0 MSS=16396 TSV=2862194435 TSER=0 WS=2 It's like the socket isn't happening for some reason. The connection never happens and the process times out with the same squid error (only now with the external IP in the unable to retrieve URL). The apache webserver logs don't show anything for the sessions that timeout. The client can pull up the apache webpage when directly typed in. Any thoughts on how to get this process to cooperate or how to continue troubleshooting would be appreciated! I've been staring at it a bit and I'm stumped. Wayne From packetbl@allofmy.info Tue Apr 5 20:40:32 2005 From: packetbl@allofmy.info (Wayne Smith) Date: Tue, 5 Apr 2005 15:40:32 -0400 Subject: [tproxy] squid, cttproxy, and a redirector script Message-ID: <200504051540.AA3326148814@allofmy.info> Sorry for the self follow up, but a little more info The workstation that is doing the requesting ends up receiving packets with syn/ack set. The workstation that did the requesting never actually creates an initial syn packet to the apache server (squid was doing that in it's behalf after getting the response from the redirector script). What type of packet mangling is required to have the locally produced (but spoofed) syn from squid get its response to occur locally? Again, I'm hoping I have the right forum. It's a patched kernel to allow the truly transparent proxy, but it's also a hacked squid to take advantage of that functionality. As far as I can tell, squid is doing it's job making the connection to apache, but the reply ends up going out the NIC to the workstation instead of being grabbed and thrown back to squid. Any help appreciated. Wayne From hidden@balabit.hu Wed Apr 6 10:35:37 2005 From: hidden@balabit.hu (KOVACS Krisztian) Date: Wed, 06 Apr 2005 11:35:37 +0200 Subject: [tproxy] Tproxy Problem In-Reply-To: <3D9FDCA910DD4445896A0BE5ECF009D40339EEE3@bla.satyam.com> References: <3D9FDCA910DD4445896A0BE5ECF009D40339EEE3@bla.satyam.com> Message-ID: <1112780137.10837.3.camel@nienna.balabit> Hi, 2005-04-06, sze keltez�ssel 10.57-kor Karthika_Rallabandi ezt �rta: > Thanks for the immediate response. > Yeah I applied the patch for iptables user space. > I downloaded the iptables-1.2.9 and performed the following steps as > mentioned in README > cd /usr/src/iptables-1.2.9 > cat /iptables/*.diff | patch -p1 > make KERNELDIR=/usr/src/linux > But I couldn't find libipt_TPROXY.so in /lib/iptables. > I tried to compile libipt_TPROXY.c in iptables/extensions/libipt_TPROXY.c > but couldn't succeed. It gave errors in .h files like INT_MIN undeclared > etc. > I tried to include kernel.h file also but of no use. Ok, then please try the following * apply the kernel patch first, and make sure you set KERNELDIR to the path of the patched source * after applying the iptables patch, make sure that extensions/.tproxy-test is executable: -- Regards, Krisztian Kovacs From hidden@balabit.hu Wed Apr 6 10:39:35 2005 From: hidden@balabit.hu (KOVACS Krisztian) Date: Wed, 06 Apr 2005 11:39:35 +0200 Subject: [tproxy] Tproxy Problem In-Reply-To: <1112780137.10837.3.camel@nienna.balabit> References: <3D9FDCA910DD4445896A0BE5ECF009D40339EEE3@bla.satyam.com> <1112780137.10837.3.camel@nienna.balabit> Message-ID: <1112780375.10837.7.camel@nienna.balabit> Hi, Sorry, I accidentally pressed Ctrl+Enter while writing the reply... 2005-04-06, sze keltez�ssel 11.35-kor KOVACS Krisztian ezt �rta: > 2005-04-06, sze keltez�ssel 10.57-kor Karthika_Rallabandi ezt �rta: > > Thanks for the immediate response. > > Yeah I applied the patch for iptables user space. > > I downloaded the iptables-1.2.9 and performed the following steps as > > mentioned in README > > cd /usr/src/iptables-1.2.9 > > cat /iptables/*.diff | patch -p1 > > make KERNELDIR=/usr/src/linux > > But I couldn't find libipt_TPROXY.so in /lib/iptables. > > I tried to compile libipt_TPROXY.c in iptables/extensions/libipt_TPROXY.c > > but couldn't succeed. It gave errors in .h files like INT_MIN undeclared > > etc. > > I tried to include kernel.h file also but of no use. > > Ok, then please try the following > > * apply the kernel patch first, and make sure you set KERNELDIR to > the path of the patched source > * after applying the iptables patch, make sure that > extensions/.tproxy-test is executable: run "chmod +x extensions/.tproxy-test" to make sure it's executable. * now compile iptables Looks like you have some problems with the iptables build process. I'm curious if that chmod does the trick... -- Regards, Krisztian Kovacs From hidden@balabit.hu Wed Apr 6 10:44:50 2005 From: hidden@balabit.hu (KOVACS Krisztian) Date: Wed, 06 Apr 2005 11:44:50 +0200 Subject: [tproxy] squid, cttproxy, and a redirector script In-Reply-To: <200504051540.AA3326148814@allofmy.info> References: <200504051540.AA3326148814@allofmy.info> Message-ID: <1112780690.10837.14.camel@nienna.balabit> Hi, 2005-04-05, k keltez�ssel 15.40-kor Wayne Smith ezt �rta: > Sorry for the self follow up, but a little more info > > The workstation that is doing the requesting ends up receiving packets > with syn/ack set. The workstation that did the requesting never > actually creates an initial syn packet to the apache server (squid was > doing that in it's behalf after getting the response from the > redirector script). > > What type of packet mangling is required to have the locally produced > (but spoofed) syn from squid get its response to occur locally? > > Again, I'm hoping I have the right forum. It's a patched kernel to > allow the truly transparent proxy, but it's also a hacked squid to > take advantage of that functionality. As far as I can tell, squid is > doing it's job making the connection to apache, but the reply ends up > going out the NIC to the workstation instead of being grabbed and > thrown back to squid. > > Any help appreciated. This seems to be the effect of a limitation of the tproxy kernel patch: source address faking does not work for traffic sent to localhost. Unfortunately I don't know of any quick fix for that problem, so you're left with two choices: * you try to configure Squid so that it doesn't try to fake the source address when connecting to the apache running on localhost * you move the apache serving the cached update files to a separate machine I don't know whether or not the first option can be done with the current Squid patch, but it would be a useful feature to avoid problems like this one. -- Regards, Krisztian Kovacs From packetbl@allofmy.info Mon Apr 11 13:56:24 2005 From: packetbl@allofmy.info (Wayne Smith) Date: Mon, 11 Apr 2005 08:56:24 -0400 Subject: [tproxy] squid, cttproxy, and a redirector script Message-ID: <200504110856.AA2344747148@allofmy.info> > This seems to be the effect of a limitation of the tproxy kernel >patch: source address faking does not work for traffic sent to >localhost. Unfortunately I don't know of any quick fix for that problem, >so you're left with two choices: > > * you try to configure Squid so that it doesn't try to fake the > source address when connecting to the apache running on > localhost > * you move the apache serving the cached update files to a > separate machine > > I don't know whether or not the first option can be done with the >current Squid patch, but it would be a useful feature to avoid problems >like this one. > >-- > Regards, > Krisztian Kovacs Krisztian While I started coding C about 12 years ago, that was on DOS and it didn't involve TCP sockets ;) If I had more time and a more capable background, I'd probably try to hack squid to not spoof the IP when using the redirector, but... I couldn't (easily or cost effectively) have the apache server outside the squid box. So, after racking my brain (and before getting responses from the folks on the list), came up with a simple solution in the redir.pl script "301:" by the URL... yep, a simple object moved. This gets back to the client allowing it to make the necessary incoming connection. So, if you are doing the truly transparent proxy thing and looking to use windowsupdate_cache script, you might want to modify redir.pl to include 301: with the response it gives to squid. After around 15 hours or solve of tracking and troubleshooting, a copy of vi and about 10 keystrokes would have covered it. If I ever don't have enough sleep (and therefore forget what's currently impossible with my (lack of) coding skills), I might give making a patch for squid a try. Thanks for all the replies back. I hope my answer in the archives helps somebody else out. If it does, I'd love an email to here how other folks are fairing with squid and tproxy. Wayne, fugitive from the cubile police From hidden@balabit.hu Fri Apr 15 14:12:13 2005 From: hidden@balabit.hu (KOVACS Krisztian) Date: Fri, 15 Apr 2005 15:12:13 +0200 Subject: [tproxy] TProxy version 2.0.1 released Message-ID: <1113570733.4023.18.camel@nienna.balabit> --=-OormOHHz24MBM0eBz+vN Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Version 2.0.1 of TProxy has been released for Linux 2.4.30 and Linux 2.6.10. This release incorporates fixes for a couple of bug found since the release of version 2.0.0. Please note that due to extensive changes in the Netfilter NAT subsystem of Linux there is no TProxy patch for 2.6.11 yet, this will be released at a later (still unknown) time. The most important bugfix in this release is the addition of another unhash hook to the TCP code; former releases could leak sockrefs under special circumstances. These leaked sockrefs could later lead to 'socket already assigned' warning messages. Besides bugfixes, this release contains a complete, working example of a transparent proxy software using the TProxy patches. This example software, called skaidrus, was kindly contributed by Lennert Buytenhek. Many thanks Lennert! The release tarballs are available at the usual location: http://www.balabit.com/downloads/tproxy/ MD5 checksums of the release tarballs: 3bfc4662f74f876440d0ad33220170fa cttproxy-2.6.10-2.0.1.tar.gz 87d4bd8513a4683f5b74f0dee7919253 cttproxy-2.4.30-2.0.1.tar.gz --=20 Regards, Krisztian Kovacs --=-OormOHHz24MBM0eBz+vN Content-Type: application/pgp-signature; name=signature.asc Content-Description: Ez az =?ISO-8859-1?Q?=FCzenetr=E9sz?= =?ISO-8859-1?Q?_digit=E1lis?= =?ISO-8859-1?Q?_al=E1=EDr=E1ssal?= van =?ISO-8859-1?Q?ell=E1tva?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQBCX72tVnrE9to7TdoRAmOTAJwKPee7NaoSqClfg8xtvp3naBTkmwCfXMFS 8UlL7542tubCjlf/6ZoIdsE= =D3i1 -----END PGP SIGNATURE----- --=-OormOHHz24MBM0eBz+vN-- From spshahnawaz@yahoo.co.in Tue Apr 19 08:35:45 2005 From: spshahnawaz@yahoo.co.in (spshahnawaz hussain) Date: Tue, 19 Apr 2005 00:35:45 -0700 (PDT) Subject: [tproxy] tproxy query Message-ID: <20050419073545.50562.qmail@web8403.mail.in.yahoo.com> Hi all, After applying patches, I am able to divert the packets destined to server to local process on gateway. I have some queries in tproxy. What the patches are exactly doing? or What is exactly being done to make local process bound to local IP to listen to foreign IP(Servers IP)? How this change of IP address is done? or Is it that the destination IP of incoming packets destined to server is replaced with that of our local process IP? Hope I will get my answers. thanks, Shahnawaz. __________________________________ Do you Yahoo!? Plan great trips with Yahoo! Travel: Now over 17,000 guides! http://travel.yahoo.com/p-travelguide From bpfountz@ben.pfountz.com Tue Apr 26 20:45:49 2005 From: bpfountz@ben.pfountz.com (Ben Pfountz) Date: Tue, 26 Apr 2005 15:45:49 -0400 Subject: [tproxy] foreign-tcp-connect times out... Message-ID: <1114544750.6188.11.camel@localhost.localdomain> Hi, I am trying to write a patch for stunnel to support tproxy, but I am having difficulty getting tproxy configured correctly. I compiled and run the foreign-tcp-connect test program, but after waiting a minute or two, I get the error message: 'connect: connection timed out'. I have the following IP addresses defined in the program: /* an IP address bound to one of the local interfaces */ #define LOCAL_IP "192.168.14.1" /* the IP address to use as source address */ #define FOREIGN_IP "128.173.94.148" /* IP address to connect to */ #define DEST_IP "192.168.14.1" While the program is running, my netstat looks like this: Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.14.1:80 128.173.94.148:2000 SYN_RECV tcp 0 0 192.168.14.1:22 192.168.14.168:32962 ESTABLISHED tcp 0 1 192.168.14.1:9999 192.168.14.1:80 SYN_SENT tcp 0 0 192.168.14.1:22 192.168.14.168:32973 ESTABLISHED I am using the Linux 2.4.29 kernel, and patch version cttproxy-2.4.29-2.0.0.tar.gz. The kernel and iptables have both been patched and installed. I'm not sure what the problem is, does anyone have any advice? Thanks for your time. Ben