[tproxy] TPROXY but without bridging?

Laszlo Attila Toth panther at balabit.hu
Mon Mar 31 16:51:50 CEST 2008


Hi,

Ming-Ching Tiew wrote:
> admin at abp.pl wrote:
>> Hello,
>>
>> I'm using Squid Cache: Version 2.6.STABLE18
>>
>> Is there posibility to use it as fully transprent proxy (with tproxy) but
>> without bridging interfaces?
>>
>> My topology:
>>
>> [router 0]---[Internet]
>>     |
>>     |
>> [===switch=======================]
>>     |           |           |
>> [squid] [ router a ][ router b ] .....
>>
>> to routers a,b... are connected clients. On that routers I have DNAT
>> --to-destiation squid:80
>>
>> On squid machine i have 2.6.25-rc7 kernel and Squid with patches from
>> http://people.balabit.hu/panther/tproxy/.

The official site is http://www.balabit.com/downloads/files/tproxy/, any 
other address is used for development.

The latest squid patch, for version 3 is the following:

http://www.balabit.com/downloads/files/tproxy/tproxy-squid-3-20080401.patch

It is not yet finished (the outgoing packets have the squid's IP address 
and not the client's).

>>
>> And:
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
>>                   --tproxy-mark 0x1/0x1 -on-port 3128
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>> squid.conf:
>> ..
>> http_port 3128 transparent tproxy


In squid.conf use the following:

http_port 3128 tproxy

No more change is necessary (except ACL).

>>
>> When I test this configuration webservers logs connection from clients
>> from routers a,b... with ip of squid machine. So tproxy doesnt' work.
>>
>> Can I fix it?

The patch doesn't resolve this problem yet, sorry.

>>
>> PS. It's urgent for me, please help;)
>> Regards,
>> Tomasz
>>
>>   
> Well among all things you have at least gotten to patch
> the  2.6.25-rc7 kernel.  Good ! That's a big  step better than
> just ***STARE*** at the patch and refuse to use use it and
> then start asking all sorts of question about where is the
> correct patch !
> 
> :-)

... and for which kernel version. Earlier than 2.6.22 will not be 
supported. But I'm not sure which kernels are used because I have to 
backport tproxy for them.


--
Panther


More information about the tproxy mailing list