[tproxy] Squid - Tproxy 4 - Two Bridges

Viktor Online viktoronline at gmail.com
Tue Oct 13 03:36:08 CEST 2009

Hello everyone, I'm trying to run the following configuration:

* Debian testing, kernel 2.6.30, iptables 1.4.4, squid 3.1.0,14, ebtables,
bridge-utils TPROXY 4

stage http://img524.imageshack.us/img524/2645/twobridge.jpg


# Bridge router1

auto br1
iface br1 inet static
bridge_ports eth0 eth1

# Bridge router2

auto br2
iface br2 inet static
bridge_ports eth2 eth3


iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129

echo 1 > /proc/sys/net/ipv4/ip_forward

ip rule add fwmark 1 lookup 100
ip route add local dev lo table 100


http_port 3128
http_port 3129 tproxy

acl manager proto cache_object
acl localhost src
acl to_localhost dst

acl localnet src
acl localnet src

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all

So far so good, except that the squid is not cached,
but they work the two bridges and each out of your gateway,
if I do a iptables-t mangle-L-n-v I see that the rules of rc.local marked

When I add the following lines begins to cache the squid

 but it only works one of two bridges (any) and the other is at 0 and can
not navigate.

ebtables -t broute -I BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP

ebtables -t broute -I BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80
-j redirect --redirect-target DROP

ebtables -t broute -I BROUTING -i eth3 -p ipv4 --ip-proto tcp --ip-dport 80
-j redirect --redirect-target DROP

ebtables -t broute -I BROUTING -i eth2 -p ipv4 --ip-proto tcp --ip-sport 80
-j redirect --redirect-target DROP

It is possible to operate the two bridges each for their gateway using
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20091012/00a8d48d/attachment.htm 

More information about the tproxy mailing list