[tproxy] Squid with TProxy Support

Eliezer Croitoru eliezer at ngtech.co.il
Fri Jul 5 15:32:59 CEST 2013


These comments was meant to give you information long ago..
It gives the big picture to the one who actually needs it.
Most people that dont understand can ask freely on the mailing lists 
which are the best resource I know of.
Using mailing list real people can understand and explain to you the 
difference between what you understand and do not.

If you do know how iptables works it will be simple to understand this 
logic.
If you are new to iptables or to linux it's better to Ask rather then 
just do not understand their meanings.

Eliezer


On 07/05/2013 04:03 PM, Firas Rasmy wrote:
> Thanks a lot Chinmay and Eliezer,
>
> I think the comments on the iptables rules in 
> http://wiki.squid-cache.org/Features/Tproxy4 are a bit confusing!
>
> Best regards,
> Firas
>
> ------------------------------------------------------------------------
> *From:* Chinmay Mahata <chinmay_mahata at rediffmail.com>
> *To:* Firas Rasmy <firasrasmy at yahoo.com>
> *Cc:* "tproxy at lists.balabit.hu" <tproxy at lists.balabit.hu>
> *Sent:* Friday, July 5, 2013 2:13 PM
> *Subject:* Re: [tproxy] Squid with TProxy Support
>
> Hi Firas,
>     Your understanding is absolutely correct.
>
> Regards,
> --Chinmay
>
>
>
>
> From: Firas Rasmy <firasrasmy at yahoo.com>
> Sent: Wed, 03 Jul 2013 04:34:02
> To: "tproxy at lists.balabit.hu" <tproxy at lists.balabit.hu>
> Subject: Re: [tproxy] Squid with TProxy Support
> Thanks a lot for your reply Eliezer!
>
> I have another question here regarding the following iptables rules, 
> which are needed to get TPROXY to work:
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY 
> --tproxy-mark 0x1/0x1 --on-port 3129
>
>
>
>  What is "-m socket" used for? Man page of iptables says that "-m 
> socket" matches if an open socket can be found by doing a socket 
> lookup on the packet. I think the following rule is intended for reply 
> packets coming from web servers to squid (with the spoofed IP 
> address), am I right? If not, please correct me:
> iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> Best regards,
> Firas
>
>
> ------------------------------------------------------------------------
> *From:* Eliezer Croitoru <eliezer at ngtech.co.il>
> *To:* tproxy at lists.balabit.hu
> *Sent:* Monday, July 1, 2013 11:00 PM
> *Subject:* Re: [tproxy] Squid with TProxy Support
>
> Centos comes with TPROXY so you don't need to recompile or do anything
> more then to bundled kernel from CentOS.
> Take a small peek at this tutorial:
> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
> The tutorial have all the working examples that are needed for tproxy
> with squid.
>
> If you will need more help you can try squid-users.
>
> Eliezer
>
> On 07/01/2013 09:37 PM, Firas Rasmy wrote:
> > Hello there!
> >
> > I'm trying to install squid with TPROXY support. I'm using a Centos 6.4
> > (64-bit) with kernel version 2.6.32-358.el6.x86_64 and iptables version
> > 4.1.7
> >
> > I've followed the instructions in
> > http://wiki.squid-cache.org/Features/Tproxy4 but unfortunately
> > connecting to any website from a client with Chrome browser fails with
> > this error:
> > Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection
> > without sending any data.
> >
> > When trying to telnet squid on port 80, I get a connection but the
> > connection is closed once I hit any key! I think packets are being
> > redirected to squid successfully because if I stop squid, there would be
> > no connections at all. Do you have any idea of what might be the reason?
> >
> > Another question, I have checked that my current kernel was already
> > built with those options:
> > NF_CONNTRACK=m
> > NETFILTER_TPROXY=m
> > NETFILTER_XT_MATCH_SOCKET=m
> > NETFILTER_XT_TARGET_TPROXY=m
> >
> > Do I still have to recompile it with patches from
> > http://www.balabit.com/downloads/files/tproxy/? 
> <http://www.rediffmail.com/cgi-bin/red.cgi?account_type=1&red=http%3A%2F%2Fwww.balabit.com%2Fdownloads%2Ffiles%2Ftproxy%2F%3F&isImage=0&BlockImage=0&rediffng=0>
> > There are no patches available for this current version. What about
> > iptables? Do I need to patch it?
> >
> > My last question is: TPROXY target in the mangle table is not supposed
> > to change anything in the packet header, how the packets with TPROXY
> > target would be redirected to --on-port if the IP header is untouched?!
> >
> > Thanks a lot for your help!
> >
> > Best regards,
> > Firas
> >
> >
> > _______________________________________________
> > tproxy mailing list
> > tproxy at lists.balabit.hu');" >tproxy at lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/tproxy
> >
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu');" >tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
> <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?>
> Get your own *FREE* website and domain with business email solutions, 
> click here 
> <http://track.rediff.com/click?url=___http://hosting.rediff.com/rediffmailpro/business-email?sc_cid=sig___&cmp=sig&lnk=sig&nsrv1=host>
>
>
>
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20130705/25c0dbb3/attachment-0001.htm 


More information about the tproxy mailing list