[tproxy] TPROXY but without bridging?
Laszlo Attila Toth
panther at balabit.hu
Tue Apr 1 10:26:26 CEST 2008
admin at abp.pl wrote:
> Hello,
>
> I wrote bellow my progress in implementation tproxy to work with
> squid-2.6. I have only one problem.
>
>
> ---
> On routers A,B.. (from my topology diagram)
> (eth1 is lan interface)
>
> $BIN_IPT -t mangle -A PREROUTING -i eth1 -m state --state NEW -p tcp
> --dport 80 -j CONNMARK --set-mark 2
> $BIN_IPT -t mangle -A PREROUTING -i eth1 -j CONNMARK --restore-mark
>
> ip route add table 100 default via [squid_ip]
> ip rule add fwmark 2 lookup 100
>
> ---
> On router 0:
> (eth1 is lan interface,eth0 wan interface)
> iptables -t mangle -A PREROUTING -i eth1 -m state --state NEW -p tcp
> --dport 80 -j CONNMARK --set-mark 1
> iptables -t mangle -A PREROUTING -i eth0 -j CONNMARK --restore-mark
>
> ---
> On squid:
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
> 0x1/0x1 --on-port 3128
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> and on squid machine i have also routing entries for all routable
> subclasses from routers a,b,c...
>
> on squid.conf:
> http_port 3128 transparent tproxy
>
> #uname -a
> Linux w3cache 2.6.25-rc7
> (patched by tproxy-20080227-171356-1204128836.tar.bz2)
>
> I atached also output from dmesg | grep TPROXY.
>
> Squid patched by tproxy-squid-2.6-STABLE18.20080304-110716-1204625236.patch
>
> Traffic flows by squid correctly but like you said web servers outside
> network logs connections with ip of squid machine - not clients. Is any
> chance to fix it?
The latest squid-3 patch solves this problem but I haven't got the same
for squid-2.6. The squid-3 patch is made by Amos Jeffries and I added
two diffs to the end of it (if you see the content).
--
Panther
More information about the tproxy
mailing list