[tproxy] Squid 3.1 + Tproxy 4.1 in Bridge Mode

Laszlo Attila Toth panther at balabit.hu
Thu Jun 11 10:23:24 CEST 2009 

Hi,

renato at univem.edu.br wrote:
> Hello!
> 
> First of all, thanks for your effort and great work in providing the Open
> Source community with this software.
> I've beeing using TPROXY with Squid 3.1 and 2.6 kernel for sometime in
> Layer-3/routed firewalls without problems at all.
> Today, I'm trying to use it in a Bridged firewall, with kernel 2.6.30
> (patches with L7-filter only), iptables-1.4.3.2 and
> squid-3.1.0.8-20090610. The Linux distribution is Slackware 12.2 with gcc
> 4.3.3 and libcap 2.14.
> 
> In the kernel, I have configured:
> 
> CONFIG_SECURITY_FILE_CAPABILITIES
> CONFIG_NETFILTER_TPROXY
> CONFIG_NETFILTER_XT_TARGET_TPROXY
> CONFIG_NETFILTER_XT_MATCH_SOCKET
> NF_CONNTRACK
> 
> My bridge interface (br0) is eth0 (Internet) + eth1 (Intranet) and the br0
> virtual interface have a routed IP. The bridge is located between the
> user's switch and the Internet router.
> 
> SQUID was compiled with these options:
> 
> Squid Cache: Version 3.1.0.8-20090610
> configure options:  '--enable-linux-netfilter' '--enable-http-violations'
> '--enable-async-io=8' '--enable-useragent-log' '--enable-cache-digests'
> '--enable-follow-x-forwarded-for' '--enable-storeio=aufs'
> '--enable-removal-policies=heap,lru' '--with-maxfd=16384' '--enable-poll'
> '--with-filedescriptors=16384' '--disable-ident-lookups'
> '--enable-zph-qos' '--enable-truncate' '--with-pthreads'
> '--with-large-files' '--enable-ssl' '--with-openssl=/usr/include/openssl/'
> '--disable-htcp' '--enable-inline' '--enable-delay-pools'
> '--enable-underscores' '--enable-icap-client' '--with-default-user=squid'
> '--enable-ltdl-convenience' 'CFLAGS=-march=core2 -O3 -pipe
> -fomit-frame-pointer -DNUMTHREADS=60 -funroll-loops -mfpmath=sse
> -ffast-math -fno-exceptions' 'CXXFLAGS='
> --with-squid=/home/sources/SQUID/squid-3.1.0.8-20090610
> 
> And in squid.conf, I have the important:
> 
> http_port 3128
> http_port 3129 tproxy
> 
> I'm using the same rules as I use in the other server:
> 
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
> 0x1/0x1 --on-port 3129
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> The users can surf the Internet, but they are not redirected to the proxy.
> The same configuration works in other 3 servers, but routed. I did a lot
> of research in google and Tproxy related lists, and saw that other friends
> are having the same problem, but I could not read any post with a
> solution. I tried a lot of combinations with ebtables, physdev iptables
> modules and etc, but if you could point me the right direction, I would
> apreciate very much!
> 

IIRC the following commands solve this problem:

ebtables -t broute -A BROUTING -i eth0 -p ipv4 \
  --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP


cd /proc/sys/net/bridge/
for i in *
do
  echo 0 > $i
done
unset i



--
Attila

More information about the tproxy mailing list