[tproxy] Squid with TProxy Support

Eliezer Croitoru eliezer at ngtech.co.il
Fri Jul 5 13:58:27 CEST 2013


Hey,

Indeed as you were thinking.
the socket match a socket on the machine which means it's not an inbound 
connection.
the rules are:
if the connection is local divert it to local routing as a socket and 
otherwise redirect it into squid tproxy port.

Eliezer

On 07/03/2013 01:07 AM, Firas Rasmy wrote:
> Thanks a lot for your reply Eliezer!
>
> I have another question here regarding the following iptables rules, 
> which are needed to get TPROXY to work:
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY 
> --tproxy-mark 0x1/0x1 --on-port 3129
>
>
>
>  What is "-m socket" used for? Man page of iptables says that "-m 
> socket" matches if an open socket can be found by doing a socket 
> lookup on the packet. I think the following rule is intended for reply 
> packets coming from web servers to squid (with the spoofed IP 
> address), am I right? If not, please correct me:
> iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> Best regards,
> Firas
>
>
> ------------------------------------------------------------------------
> *From:* Eliezer Croitoru <eliezer at ngtech.co.il>
> *To:* tproxy at lists.balabit.hu
> *Sent:* Monday, July 1, 2013 11:00 PM
> *Subject:* Re: [tproxy] Squid with TProxy Support
>
> Centos comes with TPROXY so you don't need to recompile or do anything
> more then to bundled kernel from CentOS.
> Take a small peek at this tutorial:
> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
> The tutorial have all the working examples that are needed for tproxy
> with squid.
>
> If you will need more help you can try squid-users.
>
> Eliezer
>
> On 07/01/2013 09:37 PM, Firas Rasmy wrote:
> > Hello there!
> >
> > I'm trying to install squid with TPROXY support. I'm using a Centos 6.4
> > (64-bit) with kernel version 2.6.32-358.el6.x86_64 and iptables version
> > 4.1.7
> >
> > I've followed the instructions in
> > http://wiki.squid-cache.org/Features/Tproxy4 but unfortunately
> > connecting to any website from a client with Chrome browser fails with
> > this error:
> > Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection
> > without sending any data.
> >
> > When trying to telnet squid on port 80, I get a connection but the
> > connection is closed once I hit any key! I think packets are being
> > redirected to squid successfully because if I stop squid, there would be
> > no connections at all. Do you have any idea of what might be the reason?
> >
> > Another question, I have checked that my current kernel was already
> > built with those options:
> > NF_CONNTRACK=m
> > NETFILTER_TPROXY=m
> > NETFILTER_XT_MATCH_SOCKET=m
> > NETFILTER_XT_TARGET_TPROXY=m
> >
> > Do I still have to recompile it with patches from
> > http://www.balabit.com/downloads/files/tproxy/?
> > There are no patches available for this current version. What about
> > iptables? Do I need to patch it?
> >
> > My last question is: TPROXY target in the mangle table is not supposed
> > to change anything in the packet header, how the packets with TPROXY
> > target would be redirected to --on-port if the IP header is untouched?!
> >
> > Thanks a lot for your help!
> >
> > Best regards,
> > Firas
> >
> >
> > _______________________________________________
> > tproxy mailing list
> > tproxy at lists.balabit.hu <mailto:tproxy at lists.balabit.hu>
> > https://lists.balabit.hu/mailman/listinfo/tproxy
> >
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu <mailto:tproxy at lists.balabit.hu>
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
>
>
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20130705/7adccaa2/attachment-0001.htm 


More information about the tproxy mailing list