[tproxy] TPROXY but without bridging?
admin at abp.pl
admin at abp.pl
Tue Apr 1 14:00:57 CEST 2008
Dnia Wt Kwietnia 1 2008, 10:26, Laszlo Attila Toth napisał(a):
> admin at abp.pl wrote:
>> I wrote bellow my progress in implementation tproxy to work with
>> squid-2.6. I have only one problem.
>>
>>
>> ---
>> On routers A,B.. (from my topology diagram)
>> (eth1 is lan interface)
>>
>> $BIN_IPT -t mangle -A PREROUTING -i eth1 -m state --state NEW -p tcp
>> --dport 80 -j CONNMARK --set-mark 2
>> $BIN_IPT -t mangle -A PREROUTING -i eth1 -j CONNMARK --restore-mark
>>
>> ip route add table 100 default via [squid_ip]
>> ip rule add fwmark 2 lookup 100
>>
>> ---
>> On router 0:
>> (eth1 is lan interface,eth0 wan interface)
>> iptables -t mangle -A PREROUTING -i eth1 -m state --state NEW -p tcp
>> --dport 80 -j CONNMARK --set-mark 1
>> iptables -t mangle -A PREROUTING -i eth0 -j CONNMARK --restore-mark
>>
>> ---
>> On squid:
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>> --tproxy-mark
>> 0x1/0x1 --on-port 3128
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>> and on squid machine i have also routing entries for all routable
>> subclasses from routers a,b,c...
>>
>> on squid.conf:
>> http_port 3128 transparent tproxy
>>
>> #uname -a
>> Linux w3cache 2.6.25-rc7
>> (patched by tproxy-20080227-171356-1204128836.tar.bz2)
>>
>> I atached also output from dmesg | grep TPROXY.
>>
>> Squid patched by
>> tproxy-squid-2.6-STABLE18.20080304-110716-1204625236.patch
>>
>> Traffic flows by squid correctly but like you said web servers outside
>> network logs connections with ip of squid machine - not clients. Is any
>> chance to fix it?
>
> The latest squid-3 patch solves this problem but I haven't got the same
> for squid-2.6. The squid-3 patch is made by Amos Jeffries and I added
> two diffs to the end of it (if you see the content).
Squid-3 is still worse than squid-2.6 (coss implementation ect..) I didn't
see benefits from posibility of migrate to squid-3. So is any chance to
quick modify patch for 2.5 version of squid?
Regards,
--
Tomasz
More information about the tproxy
mailing list