[tproxy] Configuring Squid + TPROXY using iptables 1.4

Fri Jun 20 19:21:08 CEST 2008

    People,

    After a long time waiting to implement this solution I came here to 
ask how can I configure the redirection from iptables to squid. My 
squid.conf has this line:

/http_port 3128 tproxy/

    It starts ok. For a test I have made this "transparent" and make a 
rule on iptables (iptables -t nat -A PREROUTING -s .... -p tcp -m tcp 
--dport 80 -j REDIRECT --to-ports 3128) and it works fine. It is really 
getting stuff and putting into cache (TCP_HIT). So, my network layout 
(for testing purpose only) is:

/[ internet ] --- [ router ] --- [ cache ] --- [ me ]

"me" network: 10.0.0.0/24 (me = .2 and cache = .1)
"cache" network: 192.168.1.0/24 (cache = .9 and router = .1)/

    This is a fine layout to work as a transparent proxy (using 
transparent). My router make a route to 10.0.0.0/24 throu cache, like:

/route add -net 10.0.0.0/24 gw 192.168.1.9/

    And in this router I am masquerading this network.

    I don't know if in this layout I can make this work so, I have made 
this script (based on README from tproxy):
------------------------------------------------------------------------
/#!/bin/bash

IP="/sbin/ip"
IPT="/sbin/iptables"

PROXY_PT="3128"
PROXY_MK="1"

#----
# Criando as regras de redicionamento dos pacotes
# marcados pelo iptables
#----
$IP rule add fwmark $PROXY_MK lookup 100
$IP route add local 0.0.0.0/0 dev lo table 100

#----
# Criando as regras do iptables
#----
$IPT -t mangle -F
$IPT -t mangle -N DIVERT
$IPT -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
$IPT -t mangle -A DIVERT -j MARK --set-mark 1
$IPT -t mangle -A DIVERT -j ACCEPT

#----
# Marca os pacotes com destino ao cache
#----
$IPT -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 
0x1/0x1 --on-port $PROXY_PT/
------------------------------------------------------------------------
    This script is running as the box boots. When I start the cache it 
works fine but when I try to open a website squid access.log shows this:
------------------------------------------------------------------------
/1213980761.622      0 10.0.0.2 NONE/400 1497 GET /mrtg/trafego.php - 
NONE/- text/html
1213980783.535      0 10.0.0.2 NONE/400 1465 GET / - NONE/- text/html
1213980783.654      0 10.0.0.2 NONE/400 1487 GET /favicon.ico - NONE/- 
text/html
1213980794.052      0 10.0.0.2 NONE/400 1465 GET / - NONE/- text/html
1213980794.661      0 10.0.0.2 NONE/400 1465 GET / - NONE/- text/html
1213980795.181      0 10.0.0.2 NONE/400 1465 GET / - NONE/- text/html
1213980906.136      0 10.0.0.2 NONE/400 1465 GET / - NONE/- text/html/
------------------------------------------------------------------------
    And in my browser show that the URL could not be recovered and its 
URL is invalid.

    What can I do to solve this problem?

-- 
Att,

NATANIEL KLUG
nata at cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis."
Visconde de Taunay

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20080620/bb01c6cf/attachment.htm 