[tproxy] TPROXY 4

Farhad Ibragimov inara.ibragimova at gmail.com
Mon Aug 31 11:33:40 CEST 2009


 I am having some trouble redirecting port 80 traffic to 3129 using
 tproxy for transparent proxying.
 The SYNs come in but there is no SYN-ACK going out.

 Please help me !!!!!

 My server have only one single interface with global ip addresses wich
 connect directly to the internet



> Detailed information from my server

> #######################################################################
> ###############
>  Squid Cache: Version 3.1.0.13
> configure options:  '--enable-linux-netfilter' '--prefix=/squid/'
> --with-squid=/src/squid-3.1.0.13 --enable-ltdl-convenience
> [root at proxymain sysconfig]# cat /squid/etc/squid.conf
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl test src 85.132.47.0/24
> acl test2 src 85.132.32.0/24
> acl test3 src 62.212.227.0/24
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 3129
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access allow test
> http_access allow test2
> http_access allow test3
> http_access deny all
> http_port 3128
> http_port 3129 tproxy 
> hierarchy_stoplist cgi-bin ?
> coredump_dir /squid/var/cache
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname proxymain
> cache_dir ufs /cache 6000 16 256
> ######################################################################
> [root at proxymain    sysconfig]#    iptables    -V    (DOWNLOADED   FROM
> NETFILTER.ORG-NOT PATCHED)
> iptables v1.4.3
> #######################################################################
> root at proxymain   sysconfig]#  uname  -a   (DONLOADED FORM KERNEL.ORG -
> WITHOWT ANY PATCHES FROM bALABIT)
> Linux  2.6.30.5-second #1 SMP Sun Aug 30 22:45:27 AZST 2009 x86_64 x86_64 x86_64 GNU/Linux
> #######################################################################
> Chain PREROUTING (policy ACCEPT)

> target     prot opt source               destination         
> DIVERT     tcp  --  anywhere             anywhere            socket 
> TPROXY     tcp  --  anywhere             anywhere            tcp
> dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         

> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         

> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         

> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination         

> Chain DIVERT (1 references)
> target     prot opt source               destination         
> MARK       all  --  anywhere             anywhere            MARK xset 0x1/0xffffffff
> ACCEPT     all  --  anywhere             anywhere
> #######################################################################

> [root at proxymain sysconfig]# ip rule ls
> 0:      from all lookup 255 
> 32765:  from all fwmark 0x1 lookup 100
> 32766:  from all lookup main 
> 32767:  from all lookup default
> #####################################################################
> [root at proxymain sysconfig]# ip route ls table 100
> local default dev lo  scope host
> #####################################################################

> [root at proxymain sysconfig]# lsmod | egrep "xt|nf"
> nf_nat                 18924  1 iptable_nat
> nf_conntrack_ipv4      14448  3 iptable_nat,nf_nat
> xt_TPROXY               2616  1 
> xt_tcpudp               3544  1 
> xt_MARK                 3064  1 
> xt_socket               2904  1 
> nf_tproxy_core          3160  2 xt_TPROXY,xt_socket,[permanent]
> nf_conntrack           68208  4
> iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket
> nf_defrag_ipv4          2456  3 nf_conntrack_ipv4,xt_TPROXY,xt_socket
> x_tables               22624  6
> iptable_nat,ip_tables,xt_TPROXY,xt_tcpudp,xt_MARK,xt_socket
> i2c_nforce2             7768  0 
> i2c_core               25568  1 i2c_nforce2
> ext3                  123528  2 
> jbd                    46848  1 ext3
> 
> ######################################################################
> [root at proxymain sysconfig]# tcpdump -nn -i eth0 port 80
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 00:12:02.402611 IP 85.132.32.40.1532 > 85.132.32.34.80: S
> 3187993921:3187993921(0) win 65535 <mss 1460,nop,nop,sackOK>
> 00:12:02.403087 IP 85.132.32.34.80 > 85.132.32.40.1532: S
> 3741385741:3741385741(0) ack 3187993922 win 5840 <mss 1460,nop,nop,sackOK>
> 00:12:02.402697 IP 85.132.32.40.1532 > 85.132.32.34.80: . ack 1 win 65535
> 00:12:02.407937 IP 85.132.32.40.1532 > 85.132.32.34.80: P 1:413(412) ack 1 win 65535
> 00:12:02.407971 IP 85.132.32.34.80 > 85.132.32.40.1532: . ack 413 win 6432
> 00:12:02.408389 IP 85.132.32.40.42747 > 194.87.0.50.80: S
> 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4169685 0,nop,wscale 7>
> 00:12:05.407861 IP 85.132.32.40.42747 > 194.87.0.50.80: S
> 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4172685 0,nop,wscale 7>
> 00:12:11.407465 IP 85.132.32.40.42747 > 194.87.0.50.80: S
> 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4178685 0,nop,wscale 7>
> 00:12:23.406682 IP 85.132.32.40.42747 > 194.87.0.50.80: S
> 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4190685 0,nop,wscale 7>
> #######################################################################
> ##
> 2009/08/30 23:31:56| Starting Squid Cache version 3.1.0.13 for x86_64-unknown-linux-gnu...
> 2009/08/30 23:31:56| Process ID 12787
> 2009/08/30 23:31:56| With 1024 file descriptors available
> 2009/08/30 23:31:56| Initializing IP Cache...
> 2009/08/30 23:31:56| DNS Socket created at 0.0.0.0, FD 7
> 2009/08/30 23:31:56| Adding domain caspel.com from /etc/resolv.conf
> 2009/08/30 23:31:56| Adding nameserver 85.132.32.41 from /etc/resolv.conf
> 2009/08/30 23:31:56| Adding nameserver 85.132.32.42 from /etc/resolv.conf
> 2009/08/30 23:31:56| Unlinkd pipe opened on FD 12
> 2009/08/30 23:31:56| Store logging disabled
> 2009/08/30 23:31:56| Swap maxSize 6144000 + 262144 KB, estimated 492780 objects
> 2009/08/30 23:31:56| Target number of buckets: 24639
> 2009/08/30 23:31:56| Using 32768 Store buckets
> 2009/08/30 23:31:56| Max Mem  size: 262144 KB
> 2009/08/30 23:31:56| Max Swap size: 6144000 KB
> 2009/08/30 23:31:56| Version 1 of swap file without LFS support detected...
> 2009/08/30 23:31:56| Rebuilding storage in /cache (CLEAN)
> 2009/08/30 23:31:56| Using Least Load store dir selection
> 2009/08/30 23:31:56| Set Current Directory to /squid/var/cache
> 2009/08/30 23:31:56| Loaded Icons.
> 2009/08/30 23:31:56| Accepting  HTTP connections at 0.0.0.0:3128, FD 15.
> 2009/08/30 23:31:56| Accepting  spoofing HTTP connections at 0.0.0.0:3129, FD 16.
> 2009/08/30 23:31:56| HTCP Disabled.
> 2009/08/30 23:31:56| Squid modules loaded: 0
> 2009/08/30 23:31:56| Ready to serve requests.
> 2009/08/30 23:31:56| Done reading /cache swaplog (0 entries)
> 2009/08/30 23:31:56| Finished rebuilding storage from disk.
> 2009/08/30 23:31:56|         0 Entries scanned
> 2009/08/30 23:31:56|         0 Invalid entries.
> 2009/08/30 23:31:56|         0 With invalid flags.
> 2009/08/30 23:31:56|         0 Objects loaded.
> 2009/08/30 23:31:56|         0 Objects expired.
> 2009/08/30 23:31:56|         0 Objects cancelled.
> 2009/08/30 23:31:56|         0 Duplicate URLs purged.
> 2009/08/30 23:31:56|         0 Swapfile clashes avoided.
> 2009/08/30 23:31:56|   Took 0.01 seconds (  0.00 objects/sec).
> 2009/08/30 23:31:56| Beginning Validation Procedure
> 2009/08/30 23:31:56|   Completed Validation Procedure
> 2009/08/30 23:31:56|   Validated 25 Entries
> 2009/08/30 23:31:56|   store_swap_size = 0
> 2009/08/30 23:31:57| storeLateRelease: released 0 objects
> [root at proxymain sysconfig]#

> 1251655621.226 155982 85.132.32.40 TCP_MISS/503 4143 GET
> http://www.squid-cache.org/Artwork/SN.png -
> DIRECT/www.squid-cache.org text/html
> 1251655621.226 107693 85.132.47.219 TCP_MISS/503 4151 GET
> http://www.squid-cache.org/Artwork/SN.png -
> DIRECT/www.squid-cache.org text/html
> 1251655621.230      0 85.132.32.40 TCP_MISS/503 4143 GET
> http://www.squid-cache.org/Artwork/SN.png -
> DIRECT/www.squid-cache.org text/html
> 1251655646.107   6457 85.132.47.219 TCP_MISS/000 0 GET
> http://www.google.az/ - DIRECT/www.google.az -
> 1251655658.226  60014 85.132.47.219 TCP_MISS/504 4510 POST
> http://safebrowsing.clients.google.com/safebrowsing/downloads? -
> DIRECT/safebrowsing.clients.google.com text/html
> 1251656346.912  21227 85.132.32.40 TCP_MISS/000 0 GET
> http://194.87.0.50/ - DIRECT/194.87.0.50 -
> 1251656526.724 179798 85.132.32.40 TCP_MISS/504 3977 GET
> http://www.ru/ - DIRECT/194.87.0.50 text/html
> 1251656586.724  59968 85.132.32.40 TCP_MISS/504 4069 GET
> http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
> 1251656867.544  88637 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
> 1251657043.812 176266 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
> 1251657101.539  60109 85.132.32.40 TCP_MISS/504 4018 GET
> http://www.ru/ - DIRECT/194.87.0.50 text/html
> 1251657207.136  64675 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
> 1251657387.522 180384 85.132.32.40 TCP_MISS/504 4018 GET
> http://www.ru/ - DIRECT/194.87.0.50 text/html
> 1251657567.525 179983 85.132.32.40 TCP_MISS/504 4069 GET
> http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
> 1251657569.936   9407 85.132.47.219 TCP_MISS/000 0 GET
> http://85.132.32.34/ - DIRECT/85.132.32.34 -
> 1251657725.527 180669 85.132.32.40 TCP_MISS/504 4018 GET
> http://www.ru/ - DIRECT/194.87.0.50 text/html
> 1251657905.534 179988 85.132.32.40 TCP_MISS/504 4069 GET
> http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
> 1251658194.669 112560 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
> 1251658283.066  88394 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
> 1251658463.543 180476 85.132.32.40 TCP_MISS/504 4018 GET
> http://www.ru/ - DIRECT/194.87.0.50 text/html
> 1251658643.547 179986 85.132.32.40 TCP_MISS/504 4069 GET
> http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
> 1251659072.554  60493 85.132.32.40 TCP_MISS/504 4473 POST
> http://safebrowsing.clients.google.com/safebrowsing/downloads? - DIRECT/74.125.87.100 text/html
> 1251659703.563 181155 85.132.32.40 TCP_MISS/504 4018 GET
> http://www.ru/ - DIRECT/194.87.0.50 text/html



-- 
Best regards,
 Farhad                            mailto:inara.ibragimova at gmail.com



More information about the tproxy mailing list