[tproxy] Configuring Squid + TPROXY using iptables 1.4

Nataniel Klug nata at cnett.com.br
Fri Jun 20 21:42:45 CEST 2008 

People,

Using a tip from Pablo it worked in the bellow layout. I will try it for 
real tomorow. Hope to work!

Nataniel Klug escreveu:
>     People,
>
>     After a long time waiting to implement this solution I came here 
> to ask how can I configure the redirection from iptables to squid. My 
> squid.conf has this line:
>
> /http_port 3128 tproxy/
>
>     It starts ok. For a test I have made this "transparent" and make a 
> rule on iptables (iptables -t nat -A PREROUTING -s .... -p tcp -m tcp 
> --dport 80 -j REDIRECT --to-ports 3128) and it works fine. It is 
> really getting stuff and putting into cache (TCP_HIT). So, my network 
> layout (for testing purpose only) is:
>
> /[ internet ] --- [ router ] --- [ cache ] --- [ me ]
>
> "me" network: 10.0.0.0/24 (me = .2 and cache = .1)
> "cache" network: 192.168.1.0/24 (cache = .9 and router = .1)/
>
>     This is a fine layout to work as a transparent proxy (using 
> transparent). My router make a route to 10.0.0.0/24 throu cache, like:
>
> /route add -net 10.0.0.0/24 gw 192.168.1.9/
>
>     And in this router I am masquerading this network.
>
>     I don't know if in this layout I can make this work so, I have 
> made this script (based on README from tproxy):
> ------------------------------------------------------------------------
> /#!/bin/bash
>
> IP="/sbin/ip"
> IPT="/sbin/iptables"
>
> PROXY_PT="3128"
> PROXY_MK="1"
>
> #----
> # Criando as regras de redicionamento dos pacotes
> # marcados pelo iptables
> #----
> $IP rule add fwmark $PROXY_MK lookup 100
> $IP route add local 0.0.0.0/0 dev lo table 100
>
> #----
> # Criando as regras do iptables
> #----
> $IPT -t mangle -F
> $IPT -t mangle -N DIVERT
> $IPT -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> $IPT -t mangle -A DIVERT -j MARK --set-mark 1
> $IPT -t mangle -A DIVERT -j ACCEPT
>
> #----
> # Marca os pacotes com destino ao cache
> #----
> $IPT -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 
> 0x1/0x1 --on-port $PROXY_PT/
> ------------------------------------------------------------------------
>     This script is running as the box boots. When I start the cache it 
> works fine but when I try to open a website squid access.log shows this:
> ------------------------------------------------------------------------
> /1213980761.622      0 10.0.0.2 NONE/400 1497 GET /mrtg/trafego.php - 
> NONE/- text/html
> 1213980783.535      0 10.0.0.2 NONE/400 1465 GET / - NONE/- text/html
> 1213980783.654      0 10.0.0.2 NONE/400 1487 GET /favicon.ico - NONE/- 
> text/html
> 1213980794.052      0 10.0.0.2 NONE/400 1465 GET / - NONE/- text/html
> 1213980794.661      0 10.0.0.2 NONE/400 1465 GET / - NONE/- text/html
> 1213980795.181      0 10.0.0.2 NONE/400 1465 GET / - NONE/- text/html
> 1213980906.136      0 10.0.0.2 NONE/400 1465 GET / - NONE/- text/html/
> ------------------------------------------------------------------------
>     And in my browser show that the URL could not be recovered and its 
> URL is invalid.
>
>     What can I do to solve this problem?
>
> -- 
> Att,
>
> NATANIEL KLUG
> nata at cnett.com.br
>
> LEIA O DIA-A-DIA DO NATA
> http://nataklug.blogspot.com/
>
> Cyber Nett - Internet Banda Larga
> www.cnett.com.br
> (42) 3635-2957
> Rua Diogo Pinto, 1046, Centro
> Laranjeiras do Sul - PR
> Brasil - 85301-290
>
> "... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis."
> Visconde de Taunay
> ------------------------------------------------------------------------
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>   

-- 
Att,

NATANIEL KLUG
nata at cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis."
Visconde de Taunay

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20080620/4230cfd7/attachment.htm

More information about the tproxy mailing list