[tproxy] Can't get TPROXY working with squid
carvakaguru at gmail.com
Fri Feb 27 00:16:01 CET 2015
I tried the steps that you specified but that didn't help. I already had
most of the steps except the one for the nonlocal bind. But I still don't
see any packets getting to squid.
Can someone explain to me what the following two command are suppose to
achieve? I am a little confused on that. I think the second command
especially is not correct for my setup, because as soon as I issue it all
HTTP traffic stops from getting to the internet.
ip -f inet rule add fwmark 111 lookup 100
ip -f inet route add local default dev lo table 100
On Thu, Feb 26, 2015 at 12:03 PM, U.Mutlu <for-forums at mutluit.com> wrote:
> did you do these steps on the tproxy-host? :
> for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 >$f ; done
> echo 1 >/proc/sys/net/ipv4/ip_forward
> for f in /proc/sys/net/ipv4/conf/*/forwarding ; do echo 1 >$f ; done
> echo 1 >/proc/sys/net/ipv4/ip_nonlocal_bind
> for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do echo 1 >$f ; done
> for f in /proc/sys/net/ipv4/conf/*/proxy_arp ; do echo 1 >$f ; done
> Carvaka Guru wrote, On 02/25/2015 08:40 PM:
> > Yes, I did and tried the recommendations there too but that is a much
> > complicated setup.
> > Mine is a simple setup where I have a client PC (192.168.25.107)
> > directly to my linux firewall router on eth1 (192.168.25.1). The eth0
> > (10.1.20.204) of the router is connected to the internet.
> > Router has -
> > 1. squid3 3.4.8
> > 2. iptables 1.4.14
> > 3. libcap2
> > 4. libcap2-dev
> > Squid config has the directive -
> > http_port 3128 tproxy
> > iptables is setup with the following directives -
> > iptables -P INPUT ACCEPT
> > iptables -P FORWARD ACCEPT
> > iptables -P OUTPUT ACCEPT
> > iptables -t nat -A POSTROUTING -o eth0 MASQUERADE
> > iptables -t mangle -N DIVERT
> > iptables -t mangle -A DIVERT -j MARK --set-mark 111
> > iptables -t mangle -A DIVERT -j ACCEPT
> > iptables -t mangle -A PREROUTING -p tcp --match socket -j DIVERT
> > iptables -t mangle -A PREROUTING -p tcp --match multiport --dport
> > http,http-alt -j TPROXY --on-port 3128 --tproxy-mark 111
> > routing config is -
> > ip -f inet rule add fwmark 111 lookup 100
> > ip -f inet route add local default dev lo table 100
> > The moment I add the second line (ip route), all HTTP traffic gets
> > black-holed. Not sure where it is going.
> > I have enabled logging in Squid "ALL,2" which usually shows detailed
> > traffic traversing through squid but with this setup, nothing!
> > On Wed, Feb 25, 2015 at 1:03 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
> > wrote:
> >> Hey Carvaka,
> >> Did you had the chance to read this article:
> >> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
> >> Thanks,
> >> Eliezer
> >> On 25/02/2015 19:15, Carvaka Guru wrote:
> >>> I am building a simple linux firewall router with eth1 LAN port and
> >>> WAN port. I have squid3 running on it that I have built with netfilter
> >>> enabled. The linux version running on the firewall is debian wheezy
> >>> has iptables with TPROXY and socket support.
> >>> By setting up the iptables to send traffic to squid3 using the original
> >> nat
> >>> prerouting REDIRECT method everything works fine but I can't get the
> >> TPROXY
> >>> method to work. I followed all the steps outlined in
> >>> http://wiki.squid-cache.org/Features/Tproxy4 but no traffic gets to
> >> squid3.
> >>> In fact all HTTP traffic goes into some hole as soon as I issue the
> >>> followng two routing commands -
> >>> ip rule add fwmark 1 lookup 100
> >>> ip route add local 0.0.0.0/0 dev lo table 100
> >>> Without these two commands the HTTP traffic goes through but never gets
> >>> routed to squid3.
> >>> I think the "ip route" command is the culprit but I don't know why or
> >> what
> >>> to change it to?
> >>> Any suggestions, help would be much appreciated.
> >>> Thanks,
> >>> carvaka
> >> _______________________________________________
> >> tproxy mailing list
> >> tproxy at lists.balabit.hu
> >> https://lists.balabit.hu/mailman/listinfo/tproxy
> > _______________________________________________
> > tproxy mailing list
> > tproxy at lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/tproxy
> tproxy mailing list
> tproxy at lists.balabit.hu
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tproxy