[tproxy] Can't get TPROXY working with squid

U.Mutlu for-forums at mutluit.com
Fri Feb 27 12:38:49 CET 2015 

Carvaka Guru wrote, On 02/27/2015 12:16 AM:
> Hi Uenal,
>
> I tried the steps that you specified but that didn't help. I already had
> most of the steps except the one for the nonlocal bind. But I still don't
> see any packets getting to squid.
>
> Can someone explain to me what the following two command are suppose to
> achieve? I am a little confused on that. I think the second command
> especially is not correct for my setup, because as soon as I issue it all
> HTTP traffic stops from getting to the internet.
>
> ip -f inet rule add fwmark 111 lookup 100
> ip -f inet route add local default dev lo table 100

My setup is unfortunately a little bit different (using a bridge),
a little bit too big and complicated to post here, and it's been
a long time when I worked on it.

The "trick" is to use a different "default route" for select network devices
and/or sources/targets by the use of the DIVERT chain as a helper.

I think you should change your
 >>> iptables -t nat -A POSTROUTING -o eth0 MASQUERADE
to
  iptables -t nat -A POSTROUTING -o eth0 -s 192.168.25.107/24 -j MASQUERADE

This is from my setup (using a bridge):

TAB1="101"
MRK1=$TAB1
TABNAME="mangle"
CHN1="CHAINTAB1"   # "DIVERT"
...
do_set_policy_routing()
{
  ip rule add dev lo   fwmark $MRK1 table $TAB1
  ip rule add dev eth0 fwmark $MRK1 table $TAB1
  ip rule add dev br0  fwmark $MRK1 table $TAB1

  ip route add local 0.0.0.0/0 dev lo   table $TAB1 metric 5
  ip route add local 0.0.0.0/0 dev eth0 table $TAB1 metric 4
  ip route add local 0.0.0.0/0 dev br0  table $TAB1 metric 3
}
...

And ensure that you have created the lookup table
in /etc/iproute2/rt_tables, ie. like this:
101 my1

And you should check these commands for diagnosing:
   ip link ls
   ip rule ls
   ip route ls
   ...
and you must remove any excess/invalid entries in the above table outputs.

cu
Uenal

>
> Thanks,
> Carvaka
>
> On Thu, Feb 26, 2015 at 12:03 PM, U.Mutlu <for-forums at mutluit.com> wrote:
>
>> Hello,
>>
>> did you do these steps on the tproxy-host? :
>>
>> do_set_as_router()
>> {
>>    for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 >$f ; done
>>    echo 1 >/proc/sys/net/ipv4/ip_forward
>>    for f in /proc/sys/net/ipv4/conf/*/forwarding ; do echo 1 >$f ; done
>>    echo 1 >/proc/sys/net/ipv4/ip_nonlocal_bind
>>    for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do echo 1 >$f ; done
>>    for f in /proc/sys/net/ipv4/conf/*/proxy_arp ; do echo 1 >$f ; done
>> }
>>
>> cu
>> Uenal
>>
>>
>> Carvaka Guru wrote, On 02/25/2015 08:40 PM:
>>> Yes, I did and tried the recommendations there too but that is a much
>> more
>>> complicated setup.
>>>
>>> Mine is a simple setup where I have a client PC (192.168.25.107)
>> connected
>>> directly to my linux firewall router on eth1 (192.168.25.1). The eth0
>>> (10.1.20.204) of the router is connected to the internet.
>>>
>>> Router has -
>>> 1. squid3 3.4.8
>>> 2. iptables 1.4.14
>>> 3. libcap2
>>> 4. libcap2-dev
>>>
>>> Squid config has the directive -
>>> http_port 3128 tproxy
>>>
>>> iptables is setup with the following directives -
>>>
>>> iptables -P INPUT ACCEPT
>>> iptables -P FORWARD ACCEPT
>>> iptables -P OUTPUT ACCEPT
>>>
>>> iptables -t nat -A POSTROUTING -o eth0 MASQUERADE
>>>
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 111
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>> iptables  -t mangle -A PREROUTING -p tcp --match socket -j DIVERT
>>>
>>> iptables -t mangle -A PREROUTING -p tcp --match multiport --dport
>>> http,http-alt -j TPROXY --on-port 3128 --tproxy-mark 111
>>>
>>> routing config is -
>>> ip -f inet rule add fwmark 111 lookup 100
>>> ip -f inet route add local default dev lo table 100
>>>
>>> The moment I add the second line (ip route), all HTTP traffic gets
>>> black-holed. Not sure where it is going.
>>>
>>> I have enabled logging in Squid "ALL,2" which usually shows detailed
>>> traffic traversing through squid but with this setup, nothing!
>>>
>>>
>>>
>>>
>>> On Wed, Feb 25, 2015 at 1:03 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
>>> wrote:
>>>
>>>> Hey Carvaka,
>>>>
>>>> Did you had the chance to read this article:
>>>> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
>>>>
>>>> Thanks,
>>>> Eliezer
>>>>
>>>> On 25/02/2015 19:15, Carvaka Guru wrote:
>>>>> I am building a simple linux firewall router with eth1 LAN port and
>> eth0
>>>>> WAN port. I have squid3 running on it that I have built with netfilter
>>>>> enabled. The linux version running on the firewall is debian wheezy
>> which
>>>>> has iptables with TPROXY and socket support.
>>>>>
>>>>> By setting up the iptables to send traffic to squid3 using the original
>>>> nat
>>>>> prerouting REDIRECT method everything works fine but I can't get the
>>>> TPROXY
>>>>> method to work. I followed all the steps outlined in
>>>>> http://wiki.squid-cache.org/Features/Tproxy4  but no traffic gets to
>>>> squid3.
>>>>> In fact all HTTP traffic goes into some hole as soon as I issue the
>>>>> followng two routing commands -
>>>>>
>>>>> ip rule add fwmark 1 lookup 100
>>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>>>
>>>>> Without these two commands the HTTP traffic goes through but never gets
>>>>> routed to squid3.
>>>>>
>>>>> I think the "ip route" command is the culprit but I don't know why or
>>>> what
>>>>> to change it to?
>>>>>
>>>>> Any suggestions, help would be much appreciated.
>>>>>
>>>>> Thanks,
>>>>> carvaka
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> tproxy mailing list
>>>> tproxy at lists.balabit.hu
>>>> https://lists.balabit.hu/mailman/listinfo/tproxy
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> tproxy mailing list
>>> tproxy at lists.balabit.hu
>>> https://lists.balabit.hu/mailman/listinfo/tproxy
>>>
>>
>> _______________________________________________
>> tproxy mailing list
>> tproxy at lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/tproxy
>>
>
>
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>

More information about the tproxy mailing list