[tproxy] [SOLVED] Re: Squid 3.1 + Tproxy 4.1 in Bridge Mode

Thu Jun 11 16:34:02 CEST 2009

Hello, Attila!

Thanks for your fast reply! My users are now all beeing redirected to the
proxy and surfing. I just needed to change the interface of the ebtables
from eth0 to eth1, as my "LAN" is connected to the eth1 interface and
Internet to the eth0. The only strange thing is that squid is not caching
anything, everything is beeing "RELEASED" in cache.log, but I'm sure it's
a squid configuration issue, not TPROXY...

I'll try to pass this information forward to the ppl I read in several
forums asking about TPROXY and bridging mode.

You made my day! Thanks again!!

> Hi,
>
> renato at univem.edu.br wrote:
>> Hello!
>>
>> First of all, thanks for your effort and great work in providing the
>> Open
>> Source community with this software.
>> I've beeing using TPROXY with Squid 3.1 and 2.6 kernel for sometime in
>> Layer-3/routed firewalls without problems at all.
>> Today, I'm trying to use it in a Bridged firewall, with kernel 2.6.30
>> (patches with L7-filter only), iptables-1.4.3.2 and
>> squid-3.1.0.8-20090610. The Linux distribution is Slackware 12.2 with
>> gcc
>> 4.3.3 and libcap 2.14.
>>
>> In the kernel, I have configured:
>>
>> CONFIG_SECURITY_FILE_CAPABILITIES
>> CONFIG_NETFILTER_TPROXY
>> CONFIG_NETFILTER_XT_TARGET_TPROXY
>> CONFIG_NETFILTER_XT_MATCH_SOCKET
>> NF_CONNTRACK
>>
>> My bridge interface (br0) is eth0 (Internet) + eth1 (Intranet) and the
>> br0
>> virtual interface have a routed IP. The bridge is located between the
>> user's switch and the Internet router.
>>
>> SQUID was compiled with these options:
>>
>> Squid Cache: Version 3.1.0.8-20090610
>> configure options:  '--enable-linux-netfilter'
>> '--enable-http-violations'
>> '--enable-async-io=8' '--enable-useragent-log' '--enable-cache-digests'
>> '--enable-follow-x-forwarded-for' '--enable-storeio=aufs'
>> '--enable-removal-policies=heap,lru' '--with-maxfd=16384'
>> '--enable-poll'
>> '--with-filedescriptors=16384' '--disable-ident-lookups'
>> '--enable-zph-qos' '--enable-truncate' '--with-pthreads'
>> '--with-large-files' '--enable-ssl'
>> '--with-openssl=/usr/include/openssl/'
>> '--disable-htcp' '--enable-inline' '--enable-delay-pools'
>> '--enable-underscores' '--enable-icap-client'
>> '--with-default-user=squid'
>> '--enable-ltdl-convenience' 'CFLAGS=-march=core2 -O3 -pipe
>> -fomit-frame-pointer -DNUMTHREADS=60 -funroll-loops -mfpmath=sse
>> -ffast-math -fno-exceptions' 'CXXFLAGS='
>> --with-squid=/home/sources/SQUID/squid-3.1.0.8-20090610
>>
>> And in squid.conf, I have the important:
>>
>> http_port 3128
>> http_port 3129 tproxy
>>
>> I'm using the same rules as I use in the other server:
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>> --tproxy-mark
>> 0x1/0x1 --on-port 3129
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> The users can surf the Internet, but they are not redirected to the
>> proxy.
>> The same configuration works in other 3 servers, but routed. I did a lot
>> of research in google and Tproxy related lists, and saw that other
>> friends
>> are having the same problem, but I could not read any post with a
>> solution. I tried a lot of combinations with ebtables, physdev iptables
>> modules and etc, but if you could point me the right direction, I would
>> apreciate very much!
>>
>
> IIRC the following commands solve this problem:
>
> ebtables -t broute -A BROUTING -i eth0 -p ipv4 \
>   --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
>
>
> cd /proc/sys/net/bridge/
> for i in *
> do
>   echo 0 > $i
> done
> unset i
>
>
>
> --
> Attila
>