[tproxy] Squid with TProxy Support
Chinmay Mahata
chinmay_mahata at rediffmail.com
Fri Jul 5 13:13:48 CEST 2013
Hi Firas,
Your understanding is absolutely correct.
Regards,
--Chinmay
From: Firas Rasmy <firasrasmy at yahoo.com>
Sent: Wed, 03 Jul 2013 04:34:02
To: "tproxy at lists.balabit.hu" <tproxy at lists.balabit.hu>
Subject: Re: [tproxy] Squid with TProxy Support
Thanks a lot for your reply Eliezer!
I have another question here regarding the following iptables rules, which are needed to get TPROXY to work:
iptables -t mangle -N DIVERTiptables -t mangle -A DIVERT -j MARK --set-mark 1iptables -t mangle -A DIVERT -j ACCEPTiptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
What is "-m socket" used for? Man page of iptables says that "-m socket" matches if an open socket can be found by doing a socket lookup on the packet. I think the following rule is intended for reply packets coming from web servers to squid (with the spoofed IP address), am I right? If not, please correct me:iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
Best regards,Firas
From: Eliezer Croitoru <eliezer at ngtech.co.il>
To: tproxy at lists.balabit.hu
Sent: Monday, July 1, 2013 11:00 PM
Subject: Re: [tproxy] Squid with TProxy Support
Centos comes with TPROXY so you don't need to recompile or do anything
more then to bundled kernel from CentOS.
Take a small peek at this tutorial:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
The tutorial have all the working examples that are needed for tproxy
with squid.
If you will need more help you can try squid-users.
Eliezer
On 07/01/2013 09:37 PM, Firas Rasmy wrote:
> Hello there!
>
> I'm trying to install squid with TPROXY support. I'm using a Centos 6.4
> (64-bit) with kernel version 2.6.32-358.el6.x86_64 and iptables version
> 4.1.7
>
> I've followed the instructions in
> http://wiki.squid-cache.org/Features/Tproxy4 but unfortunately
> connecting to any website from a client with Chrome browser fails with
> this error:
> Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection
> without sending any
data.
>
> When trying to telnet squid on port 80, I get a connection but the
> connection is closed once I hit any key! I think packets are being
> redirected to squid successfully because if I stop squid, there would be
> no connections at all. Do you have any idea of what might be the reason?
>
> Another question, I have checked that my current kernel was already
> built with those options:
> NF_CONNTRACK=m
> NETFILTER_TPROXY=m
> NETFILTER_XT_MATCH_SOCKET=m
> NETFILTER_XT_TARGET_TPROXY=m
>
> Do I still have to recompile it with patches from
> http://www.balabit.com/downloads/files/tproxy/?
> There are no patches available for this current version. What about
> iptables? Do I need to patch it?
>
> My last question is: TPROXY target in the mangle table is not supposed
> to change anything in the packet header, how the packets with
TPROXY
> target would be redirected to --on-port if the IP header is untouched?!
>
> Thanks a lot for your help!
>
> Best regards,
> Firas
>
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu');" >tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
_______________________________________________
tproxy mailing list
tproxy at lists.balabit.hu');" >tproxy at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy
_______________________________________________
tproxy mailing list
tproxy at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20130705/f90c7c96/attachment.htm
More information about the tproxy
mailing list