[tproxy] TPROXY but without bridging?
Laszlo Attila Toth
panther at balabit.hu
Mon Mar 31 16:51:50 CEST 2008
Hi,
Ming-Ching Tiew wrote:
> admin at abp.pl wrote:
>> Hello,
>>
>> I'm using Squid Cache: Version 2.6.STABLE18
>>
>> Is there posibility to use it as fully transprent proxy (with tproxy) but
>> without bridging interfaces?
>>
>> My topology:
>>
>> [router 0]---[Internet]
>> |
>> |
>> [===switch=======================]
>> | | |
>> [squid] [ router a ][ router b ] .....
>>
>> to routers a,b... are connected clients. On that routers I have DNAT
>> --to-destiation squid:80
>>
>> On squid machine i have 2.6.25-rc7 kernel and Squid with patches from
>> http://people.balabit.hu/panther/tproxy/.
The official site is http://www.balabit.com/downloads/files/tproxy/, any
other address is used for development.
The latest squid patch, for version 3 is the following:
http://www.balabit.com/downloads/files/tproxy/tproxy-squid-3-20080401.patch
It is not yet finished (the outgoing packets have the squid's IP address
and not the client's).
>>
>> And:
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
>> --tproxy-mark 0x1/0x1 -on-port 3128
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>> squid.conf:
>> ..
>> http_port 3128 transparent tproxy
In squid.conf use the following:
http_port 3128 tproxy
No more change is necessary (except ACL).
>>
>> When I test this configuration webservers logs connection from clients
>> from routers a,b... with ip of squid machine. So tproxy doesnt' work.
>>
>> Can I fix it?
The patch doesn't resolve this problem yet, sorry.
>>
>> PS. It's urgent for me, please help;)
>> Regards,
>> Tomasz
>>
>>
> Well among all things you have at least gotten to patch
> the 2.6.25-rc7 kernel. Good ! That's a big step better than
> just ***STARE*** at the patch and refuse to use use it and
> then start asking all sorts of question about where is the
> correct patch !
>
> :-)
... and for which kernel version. Earlier than 2.6.22 will not be
supported. But I'm not sure which kernels are used because I have to
backport tproxy for them.
--
Panther
More information about the tproxy
mailing list