[tproxy] Can't get TPROXY working with squid

U.Mutlu for-forums at mutluit.com
Thu Feb 26 18:03:33 CET 2015 

Hello,

did you do these steps on the tproxy-host? :

do_set_as_router()
{
  for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 >$f ; done
  echo 1 >/proc/sys/net/ipv4/ip_forward
  for f in /proc/sys/net/ipv4/conf/*/forwarding ; do echo 1 >$f ; done
  echo 1 >/proc/sys/net/ipv4/ip_nonlocal_bind
  for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do echo 1 >$f ; done
  for f in /proc/sys/net/ipv4/conf/*/proxy_arp ; do echo 1 >$f ; done
}

cu
Uenal


Carvaka Guru wrote, On 02/25/2015 08:40 PM:
> Yes, I did and tried the recommendations there too but that is a much more
> complicated setup.
>
> Mine is a simple setup where I have a client PC (192.168.25.107) connected
> directly to my linux firewall router on eth1 (192.168.25.1). The eth0
> (10.1.20.204) of the router is connected to the internet.
>
> Router has -
> 1. squid3 3.4.8
> 2. iptables 1.4.14
> 3. libcap2
> 4. libcap2-dev
>
> Squid config has the directive -
> http_port 3128 tproxy
>
> iptables is setup with the following directives -
>
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> iptables -t nat -A POSTROUTING -o eth0 MASQUERADE
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 111
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables  -t mangle -A PREROUTING -p tcp --match socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -p tcp --match multiport --dport
> http,http-alt -j TPROXY --on-port 3128 --tproxy-mark 111
>
> routing config is -
> ip -f inet rule add fwmark 111 lookup 100
> ip -f inet route add local default dev lo table 100
>
> The moment I add the second line (ip route), all HTTP traffic gets
> black-holed. Not sure where it is going.
>
> I have enabled logging in Squid "ALL,2" which usually shows detailed
> traffic traversing through squid but with this setup, nothing!
>
>
>
>
> On Wed, Feb 25, 2015 at 1:03 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
> wrote:
>
>> Hey Carvaka,
>>
>> Did you had the chance to read this article:
>> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
>>
>> Thanks,
>> Eliezer
>>
>> On 25/02/2015 19:15, Carvaka Guru wrote:
>>> I am building a simple linux firewall router with eth1 LAN port and eth0
>>> WAN port. I have squid3 running on it that I have built with netfilter
>>> enabled. The linux version running on the firewall is debian wheezy which
>>> has iptables with TPROXY and socket support.
>>>
>>> By setting up the iptables to send traffic to squid3 using the original
>> nat
>>> prerouting REDIRECT method everything works fine but I can't get the
>> TPROXY
>>> method to work. I followed all the steps outlined in
>>> http://wiki.squid-cache.org/Features/Tproxy4  but no traffic gets to
>> squid3.
>>> In fact all HTTP traffic goes into some hole as soon as I issue the
>>> followng two routing commands -
>>>
>>> ip rule add fwmark 1 lookup 100
>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>
>>> Without these two commands the HTTP traffic goes through but never gets
>>> routed to squid3.
>>>
>>> I think the "ip route" command is the culprit but I don't know why or
>> what
>>> to change it to?
>>>
>>> Any suggestions, help would be much appreciated.
>>>
>>> Thanks,
>>> carvaka
>>>
>>
>>
>> _______________________________________________
>> tproxy mailing list
>> tproxy at lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/tproxy
>>
>
>
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>

More information about the tproxy mailing list