[tproxy] TPROXY but without bridging?
admin at abp.pl
admin at abp.pl
Tue Apr 1 09:22:13 CEST 2008
Hello,
I wrote bellow my progress in implementation tproxy to work with
squid-2.6. I have only one problem.
---
On routers A,B.. (from my topology diagram)
(eth1 is lan interface)
$BIN_IPT -t mangle -A PREROUTING -i eth1 -m state --state NEW -p tcp
--dport 80 -j CONNMARK --set-mark 2
$BIN_IPT -t mangle -A PREROUTING -i eth1 -j CONNMARK --restore-mark
ip route add table 100 default via [squid_ip]
ip rule add fwmark 2 lookup 100
---
On router 0:
(eth1 is lan interface,eth0 wan interface)
iptables -t mangle -A PREROUTING -i eth1 -m state --state NEW -p tcp
--dport 80 -j CONNMARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth0 -j CONNMARK --restore-mark
---
On squid:
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3128
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
and on squid machine i have also routing entries for all routable
subclasses from routers a,b,c...
on squid.conf:
http_port 3128 transparent tproxy
#uname -a
Linux w3cache 2.6.25-rc7
(patched by tproxy-20080227-171356-1204128836.tar.bz2)
I atached also output from dmesg | grep TPROXY.
Squid patched by tproxy-squid-2.6-STABLE18.20080304-110716-1204625236.patch
Traffic flows by squid correctly but like you said web servers outside
network logs connections with ip of squid machine - not clients. Is any
chance to fix it?
Regards,
Tomasz
Dnia Pn Marca 31 2008, 16:51, Laszlo Attila Toth napisał(a):
> Ming-Ching Tiew wrote:
>> admin at abp.pl wrote:
>>> I'm using Squid Cache: Version 2.6.STABLE18
>>>
>>> Is there posibility to use it as fully transprent proxy (with tproxy)
>>> but
>>> without bridging interfaces?
>>>
>>> My topology:
>>>
>>> [router 0]---[Internet]
>>> |
>>> |
>>> [===switch=======================]
>>> | | |
>>> [squid] [ router a ][ router b ] .....
>>>
>>> to routers a,b... are connected clients. On that routers I have DNAT
>>> --to-destiation squid:80
>>>
>>> On squid machine i have 2.6.25-rc7 kernel and Squid with patches from
>>> http://people.balabit.hu/panther/tproxy/.
>
> The official site is http://www.balabit.com/downloads/files/tproxy/, any
> other address is used for development.
>
> The latest squid patch, for version 3 is the following:
>
> http://www.balabit.com/downloads/files/tproxy/tproxy-squid-3-20080401.patch
>
> It is not yet finished (the outgoing packets have the squid's IP address
> and not the client's).
>
>>>
>>> And:
>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
>>> --tproxy-mark 0x1/0x1 -on-port 3128
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>> ip rule add fwmark 1 lookup 100
>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>
>>> squid.conf:
>>> ..
>>> http_port 3128 transparent tproxy
>
>
> In squid.conf use the following:
>
> http_port 3128 tproxy
>
> No more change is necessary (except ACL).
>
>>>
>>> When I test this configuration webservers logs connection from clients
>>> from routers a,b... with ip of squid machine. So tproxy doesnt' work.
>>>
>>> Can I fix it?
>
> The patch doesn't resolve this problem yet, sorry.
>
>>>
>>> PS. It's urgent for me, please help;)
>>> Regards,
>>> Tomasz
>>>
>>>
>> Well among all things you have at least gotten to patch
>> the 2.6.25-rc7 kernel. Good ! That's a big step better than
>> just ***STARE*** at the patch and refuse to use use it and
>> then start asking all sorts of question about where is the
>> correct patch !
>>
>> :-)
>
> ... and for which kernel version. Earlier than 2.6.22 will not be
> supported. But I'm not sure which kernels are used because I have to
> backport tproxy for them.
--
Tomasz
Dnia Pn Marca 31 2008, 16:51, Laszlo Attila Toth napisał(a):
> Ming-Ching Tiew wrote:
>> admin at abp.pl wrote:
>>> I'm using Squid Cache: Version 2.6.STABLE18
>>>
>>> Is there posibility to use it as fully transprent proxy (with tproxy)
>>> but
>>> without bridging interfaces?
>>>
>>> My topology:
>>>
>>> [router 0]---[Internet]
>>> |
>>> |
>>> [===switch=======================]
>>> | | |
>>> [squid] [ router a ][ router b ] .....
>>>
>>> to routers a,b... are connected clients. On that routers I have DNAT
>>> --to-destiation squid:80
>>>
>>> On squid machine i have 2.6.25-rc7 kernel and Squid with patches from
>>> http://people.balabit.hu/panther/tproxy/.
>
> The official site is http://www.balabit.com/downloads/files/tproxy/, any
> other address is used for development.
>
> The latest squid patch, for version 3 is the following:
>
> http://www.balabit.com/downloads/files/tproxy/tproxy-squid-3-20080401.patch
>
> It is not yet finished (the outgoing packets have the squid's IP address
> and not the client's).
>
>>>
>>> And:
>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
>>> --tproxy-mark 0x1/0x1 -on-port 3128
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>> ip rule add fwmark 1 lookup 100
>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>
>>> squid.conf:
>>> ..
>>> http_port 3128 transparent tproxy
>
>
> In squid.conf use the following:
>
> http_port 3128 tproxy
>
> No more change is necessary (except ACL).
>
>>>
>>> When I test this configuration webservers logs connection from clients
>>> from routers a,b... with ip of squid machine. So tproxy doesnt' work.
>>>
>>> Can I fix it?
>
> The patch doesn't resolve this problem yet, sorry.
>
>>>
>>> PS. It's urgent for me, please help;)
>>> Regards,
>>> Tomasz
>>>
>>>
>> Well among all things you have at least gotten to patch
>> the 2.6.25-rc7 kernel. Good ! That's a big step better than
>> just ***STARE*** at the patch and refuse to use use it and
>> then start asking all sorts of question about where is the
>> correct patch !
>>
>> :-)
>
> ... and for which kernel version. Earlier than 2.6.22 will not be
> supported. But I'm not sure which kernels are used because I have to
> backport tproxy for them.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dmesg.out.txt
Url: http://lists.balabit.hu/pipermail/tproxy/attachments/20080401/ffa09418/attachment.txt
More information about the tproxy
mailing list