[tproxy] help with tproxy.

Marco Clocchiatti ziapannocchia at gmail.com
Wed Aug 19 11:10:52 CEST 2009


I want to setup tproxy in my local net.
I studied your howto: http://wiki.squid-cache.org/Features/Tproxy4
but I don't understand how to adapt it to my setup.
I'm using squid-3.1.0.13_beta iptables-1.4.3.2 and kernel 2.6.30 from
a gentoo distribution.

I have a linear net topology:

internet <----> 192.168.1.1 adsl router <----> 192.168.1.12 proxy
server 192.168.0.12 <----> 192.168.0.13 local_client

this is the routing table for the client:

local_client ~ # route -en
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo
0.0.0.0         192.168.0.12    0.0.0.0         UG        0 0          0 eth0

and this one for the proxy server:

proxy_server ~ # ip route list table all
local default dev lo  table 100  scope host
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.12
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.12
127.0.0.0/8 via 127.0.0.1 dev lo
default via 192.168.1.1 dev eth1
broadcast 192.168.0.255 dev eth0  table local  proto kernel  scope
link  src 192.168.0.12
broadcast 192.168.1.0 dev eth1  table local  proto kernel  scope link
src 192.168.1.12
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope
link  src 127.0.0.1
local 192.168.0.12 dev eth0  table local  proto kernel  scope host
src 192.168.0.12
broadcast 192.168.0.0 dev eth0  table local  proto kernel  scope link
src 192.168.0.12
broadcast 192.168.1.255 dev eth1  table local  proto kernel  scope
link  src 192.168.1.12
local 192.168.1.12 dev eth1  table local  proto kernel  scope host
src 192.168.1.12
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1

proxy_server ~ # ip rule
0:	from all lookup local
32765:	from all fwmark 0x1 lookup 100
32766:	from all lookup main
32767:	from all lookup default

this is my squid configuration:
proxy_server ~ # grep -v ^# /etc/squid/squid.conf|grep -v ^$
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 901		# SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow localhost
http_access deny all
http_port 3128
http_port 3129 tproxy
hierarchy_stoplist cgi-bin ?
cache_dir diskd /var/cache/squid 50M 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
shutdown_lifetime 2 seconds
visible_hostname proxy_server

this is my iptables conf:
proxy_server ~ # iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0           socket
TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:80 TPROXY redirect 192.168.1.12:3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain DIVERT (1 references)
target     prot opt source               destination
MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK xset
0x1/0xffffffff
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

the following are commands to build this conf:

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129 --on-ip 192.168.1.12

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo 1 > /proc/sys/net/ipv4/ip_forward

but all this does not works.
the client does not ping out of 192.168.0.* :

local_client ~ # ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
^C
--- 192.168.1.1 ping statistics ---
87 packets transmitted, 0 received, 100% packet loss, time 85999ms

squid works, but only for internet bots which are looking my home apache server:

proxy_server ~ # tail -n 89 /var/log/squid/access.log -n1
1250664301.462      0 66.249.67.133 TCP_DENIED/403 3771 GET
http://cloc3.dyndns.org/index.html/doku.php/22_dicembre_2008/problema4?
- NONE/- text/html

That's stupid: I want squid for the local users, not for remote hosts.

Where I'm falling?


More information about the tproxy mailing list