[tproxy] Squid with TProxy Support

Chinmay Mahata chinmay_mahata at rediffmail.com
Fri Jul 5 13:13:48 CEST 2013

Hi Firas,
    Your understanding is absolutely correct.


From: Firas Rasmy <firasrasmy at yahoo.com>
Sent: Wed, 03 Jul 2013 04:34:02 
To: "tproxy at lists.balabit.hu" <tproxy at lists.balabit.hu>
Subject: Re: [tproxy] Squid with TProxy Support
 Thanks a lot for your reply Eliezer!
I have another question here regarding the following iptables rules, which are needed to get TPROXY to work:
iptables -t mangle -N DIVERTiptables -t mangle -A DIVERT -j MARK --set-mark 1iptables -t mangle -A DIVERT -j ACCEPTiptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

 What is "-m socket" used for? Man page of iptables says that "-m socket" matches if an open socket can be found by doing a socket lookup on the packet. I think the following rule is intended for reply packets coming from web servers to squid (with the spoofed IP address), am I right? If not, please correct me:iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

Best regards,Firas

        From: Eliezer Croitoru <eliezer at ngtech.co.il>
 To: tproxy at lists.balabit.hu 
 Sent: Monday, July 1, 2013 11:00 PM
 Subject: Re: [tproxy] Squid with TProxy Support
Centos comes with TPROXY so you don't need to recompile or do anything 
more then to bundled kernel from CentOS.
Take a small peek at this tutorial:
The tutorial have all the working examples that are needed for tproxy 
with squid.

If you will need more help you can try squid-users.


On 07/01/2013 09:37 PM, Firas Rasmy wrote:
> Hello there!
> I'm trying to install squid with TPROXY support. I'm using a Centos 6.4
> (64-bit) with kernel version 2.6.32-358.el6.x86_64 and iptables version
> 4.1.7
> I've followed the instructions in
> http://wiki.squid-cache.org/Features/Tproxy4 but unfortunately
> connecting to any website from a client with Chrome browser fails with
> this error:
> Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection
> without sending any
> When trying to telnet squid on port 80, I get a connection but the
> connection is closed once I hit any key! I think packets are being
> redirected to squid successfully because if I stop squid, there would be
> no connections at all. Do you have any idea of what might be the reason?
> Another question, I have checked that my current kernel was already
> built with those options:
> Do I still have to recompile it with patches from
> http://www.balabit.com/downloads/files/tproxy/?
> There are no patches available for this current version. What about
> iptables? Do I need to patch it?
> My last question is: TPROXY target in the mangle table is not supposed
> to change anything in the packet header, how the packets with
> target would be redirected to --on-port if the IP header is untouched?!
> Thanks a lot for your help!
> Best regards,
> Firas
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu');" >tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy

tproxy mailing list
tproxy at lists.balabit.hu');" >tproxy at lists.balabit.hu


tproxy mailing list

tproxy at lists.balabit.hu


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20130705/f90c7c96/attachment.htm 

More information about the tproxy mailing list