[tproxy] problem with tproxy and iptables

Laszlo Attila Toth panther at balabit.hu
Wed Feb 20 11:45:34 CET 2008


Hello,

nantenaina Tianarivo írta:
> Hello everybody,
> 
> I am tring to make tproxy work with our squid but I have a problem with 
> the iptable to redirect traffic to squid now.
> I have compiled a linux kernel 2.6.22.18 patched with 
> tproxy-4.0.3-2.6.22. and iptable 1.3.8. For squid, i'am using Version 
> 2.6.STABLE5.
> I think my kernel is well compiled because I see all the tproxy module 
> loaded :
> 
> proxy:/usr/src/linux# lsmod | grep -i proxy
> xt_tproxy               1984  0
> xt_TPROXY               1984  1
> iptable_tproxy          6468  2 xt_TPROXY
> ip_tables              12420  2 iptable_filter,iptable_tproxy
> x_tables               14564  5 
> ipt_LOG,xt_tcpudp,xt_tproxy,xt_TPROXY,ip_tables
> 
> 
> My iptables rules is like this :
> 
> iptables -t tproxy -A PREROUTING -p tcp -m tcp  -i gre1 --dport 80 -j LOG
> iptables -t tproxy -A PREROUTING -p tcp -m tcp  -i gre1 --dport 80 -j 
> TPROXY --on-port 80
> 
> when I check it with tcpdump, I see traffic for http port on the gre1 
> interface
> 
> proxy:/usr/src/linux# tcpdump -n -i gre1
> tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to 
> cooked socket
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 13:10:51.437856 IP 62.56.240.17.3200 > 84.16.80.10.80: . ack 3247536657 
> win 2264 <nop,nop,timestamp 24199037 1582152>
> 13:10:51.492666 IP 62.56.240.17.3199 > 84.16.80.10.80: . ack 3204902926 
> win 3604 <nop,nop,timestamp 24199051 1582156>
> 13:10:51.523999 IP 62.56.240.17.3198 > 84.16.80.10.80: . ack 3189913679 
> win 16022 <nop,nop,timestamp 24199058 1582173>
> 
> when I check it on access.log of my squid, my requests are actually sent 
> to the squid.
> 
> But it is not the client ip which is sent to the Internet but the squid 
> box IP.
> 
> when I issue iptables-save -c command to check if there are traffic that 
> enter my iptables rule, the counter so zero traffic.
> 
> proxy:/usr/src/linux# iptables-save -t tproxy -c
> # Generated by iptables-save v1.3.8 on Wed Feb 20 13:07:45 2008
> *tproxy
> :PREROUTING ACCEPT [128:11992]
> [0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j LOG
> [0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j TPROXY --on-port 
> 80 --on-ip 0.0.0.0
> COMMIT
> 
> even the LOG don't tell me anything about traffic in gre1 interfaces.
> 
> what I see in the log is this error that appear from time to time:
> 
> Feb 20 13:08:31 proxy squid[2353]: parseHttpRequest: NF 
> getsockopt(SO_ORIGINAL_DST) failed: (92) Protocol not available
> Feb 20 13:08:31 proxy squid[2353]: tproxy 
> ip=62.56.240.17,0x11f0383e,port=0 ERROR ASSIGN

It seems you want to use the squid with tproxy patch for tproxyv2 but 
you use tproxyv4. They are incompatible. The iptables commands are the 
same but the tproxy4 kernel code is different.

When the squid uses tproxy-specific commands, there should be only one 
clall: set the socket option IP_FREEBIND, _or_ load the tproxy table 
with the tproxy_any parameter:

   modprobe iptable_tproxy tproxy_any=1

-- 
Panther


More information about the tproxy mailing list