[tproxy] Squid - Tproxy 4 - Two Bridges

Viktor Online viktoronline at gmail.com
Tue Oct 13 03:36:08 CEST 2009 

Hello everyone, I'm trying to run the following configuration:

* Debian testing, kernel 2.6.30, iptables 1.4.4, squid 3.1.0,14, ebtables,
bridge-utils TPROXY 4

stage http://img524.imageshack.us/img524/2645/twobridge.jpg


/etc/network/interfaces

#-------------------
# Bridge router1
#-------------------

auto br1
iface br1 inet static
bridge_ports eth0 eth1
address 10.1.1.2
netmask 255.255.255.0
gateway 10.1.1.1

#-------------------
# Bridge router2
#-------------------

auto br2
iface br2 inet static
bridge_ports eth2 eth3
address 20.1.1.2
netmask 255.255.255.0
gateway 20.1.1.1


/etc/rc.local

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129

echo 1 > /proc/sys/net/ipv4/ip_forward

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100


/etc/squid/squid.conf

http_port 3128
http_port 3129 tproxy

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl localnet src 10.0.0.0/8
acl localnet src 20.0.0.0/8

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all


So far so good, except that the squid is not cached,
but they work the two bridges and each out of your gateway,
if I do a iptables-t mangle-L-n-v I see that the rules of rc.local marked
packages.

When I add the following lines begins to cache the squid

 but it only works one of two bridges (any) and the other is at 0 and can
not navigate.

ebtables -t broute -I BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP

ebtables -t broute -I BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80
-j redirect --redirect-target DROP

ebtables -t broute -I BROUTING -i eth3 -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP

ebtables -t broute -I BROUTING -i eth2 -p ipv4 --ip-proto tcp --ip-sport 80
-j redirect --redirect-target DROP


It is possible to operate the two bridges each for their gateway using
squid?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20091012/00a8d48d/attachment.htm

More information about the tproxy mailing list