[tproxy] Squid 3.1 + Tproxy 4.1 in Bridge Mode

Thu Jun 11 09:12:25 CEST 2009

Hello!

First of all, thanks for your effort and great work in providing the Open
Source community with this software.
I've beeing using TPROXY with Squid 3.1 and 2.6 kernel for sometime in
Layer-3/routed firewalls without problems at all.
Today, I'm trying to use it in a Bridged firewall, with kernel 2.6.30
(patches with L7-filter only), iptables-1.4.3.2 and
squid-3.1.0.8-20090610. The Linux distribution is Slackware 12.2 with gcc
4.3.3 and libcap 2.14.

In the kernel, I have configured:

CONFIG_SECURITY_FILE_CAPABILITIES
CONFIG_NETFILTER_TPROXY
CONFIG_NETFILTER_XT_TARGET_TPROXY
CONFIG_NETFILTER_XT_MATCH_SOCKET
NF_CONNTRACK

My bridge interface (br0) is eth0 (Internet) + eth1 (Intranet) and the br0
virtual interface have a routed IP. The bridge is located between the
user's switch and the Internet router.

SQUID was compiled with these options:

Squid Cache: Version 3.1.0.8-20090610
configure options:  '--enable-linux-netfilter' '--enable-http-violations'
'--enable-async-io=8' '--enable-useragent-log' '--enable-cache-digests'
'--enable-follow-x-forwarded-for' '--enable-storeio=aufs'
'--enable-removal-policies=heap,lru' '--with-maxfd=16384' '--enable-poll'
'--with-filedescriptors=16384' '--disable-ident-lookups'
'--enable-zph-qos' '--enable-truncate' '--with-pthreads'
'--with-large-files' '--enable-ssl' '--with-openssl=/usr/include/openssl/'
'--disable-htcp' '--enable-inline' '--enable-delay-pools'
'--enable-underscores' '--enable-icap-client' '--with-default-user=squid'
'--enable-ltdl-convenience' 'CFLAGS=-march=core2 -O3 -pipe
-fomit-frame-pointer -DNUMTHREADS=60 -funroll-loops -mfpmath=sse
-ffast-math -fno-exceptions' 'CXXFLAGS='
--with-squid=/home/sources/SQUID/squid-3.1.0.8-20090610

And in squid.conf, I have the important:

http_port 3128
http_port 3129 tproxy

I'm using the same rules as I use in the other server:

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo 1 > /proc/sys/net/ipv4/ip_forward

The users can surf the Internet, but they are not redirected to the proxy.
The same configuration works in other 3 servers, but routed. I did a lot
of research in google and Tproxy related lists, and saw that other friends
are having the same problem, but I could not read any post with a
solution. I tried a lot of combinations with ebtables, physdev iptables
modules and etc, but if you could point me the right direction, I would
apreciate very much!

Do I have to go back to the tproxy2 when using Bridge mode?

Thank you very much for your time and attention!
If I forgot any important information, please let me know!

Thanks!!