Re: [Devel] Re: [squid-users] TPROXY on squid-2.6S1
Hi, Steven I just ifconfig gre0 with ip address which in the same subnet with loopback 0 router. After revise my squid.conf and iptables -t tproxy command, I saw increment at wccp router as my laptop try to surf. Service Identifier: 80 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:2219 Redirect access-list:155 Total Packets Denied Redirect: 561331 Total Packets Unassigned:26728 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Service Identifier: 90 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:2830 Redirect access-list:156 Total Packets Denied Redirect: 1263141 Total Packets Unassigned:47394 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 My client now can surf also. But no hit at squid access.log file disable rp_filter enable forwarding echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward my iptables also no hit increment Chain PREROUTING (policy ACCEPT 4809 packets, 2449K bytes) pkts bytes target prot opt in out source destination 2 120 TPROXY tcp -- eth0 any anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:80 may be I should use ip_wccp module instead ip_gre ? let me try it regards, Tino - Original Message - From: Steven Wilton [EMAIL PROTECTED] To: 'tino' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; 'Squid Developers' squid-dev@squid-cache.org Sent: Wednesday, July 12, 2006 12:53 PM Subject: RE: [Devel] Re: [squid-users] TPROXY on squid-2.6S1 I'm using Debian 3.1 (sarge) with a 2.6.15.6 + cttproxy patch. I've attached a patch that fixes the 1024 fd bug, an NTLM auth bug, and allows NTLM auth to work with pipeline prefetching on. These problems should be fixed in the next squid release. I would like to add the following to my previous list of requirements for tproxy + wccpv2: - You must make sure rp_filter is disabled in the kernel - You must make sure ip_forwarding is enabled in the kernel Can you please check that you've enabled ip_forwarding in your kernel. If that doesn't work, I don't know if the vhost vport=80 is required in the http_port line in the squid config (we don't have these options enabled on our proxies). I use the ip_wccp module to make the kernel handle the GRE packets correctly (which works slightly differently from the ip_gre module). Do you have a GRE tunnel set up in linux? If so, what command are you running to set it up? I don't have an example to give you here, but I'm sure other people are using the ip_gre module with wccp to handle the GRE packets, and should be able to help. Regards Steven -Original Message- From: tino [mailto:[EMAIL PROTECTED] Sent: Wednesday, 12 July 2006 12:53 PM To: Steven Wilton; 'Adrian Chadd' Cc: 'Kashif Ali Bukhari'; [EMAIL PROTECTED]; 'chima s' Subject: Re: [Devel] Re: [squid-users] TPROXY on squid-2.6S1 Hi, Steven, Many2 thank for your config I will immediate hands-on my squid box May I know your distro kernel version ? (for shortcut, incase, I am using fedora4 upgraded to kernel-2.6.15.7 with cttproxy-2.6.15-2.0.4 patch from balabit ) Based-on cachemgr, at least we need 2000-3000 filedescriptor this is my last config which not work : I saw wccp hit increments at router, by redirect packet to squid-box . Service Identifier: 80 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:1123 Redirect access-list:155 Total Packets Denied Redirect: 650922 Total Packets Unassigned:25043 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Service Identifier: 90 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:224 Redirect access-list:156 Total Packets Denied Redirect: 206844 Total Packets Unassigned:17095 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 I saw hit increments in iptables : Chain PREROUTING (policy ACCEPT 11517 packets, 2009K bytes) pkts bytes target prot opt in out source destination 76 24942 TPROXY all -- anyany anywhere anywhere TPROXY redirect 0.0.0.0:3128 But still no hit at access.log, and my host still can't
Re: [Devel] Re: [squid-users] TPROXY on squid-2.6S1
Hi, Steve finally it work Here is my step : -install squid-2.6.s1 + FD-patch_from_you + cttproxy-patch from balabit for kernel iptables tproxy -create gre tunnel insmod ip_gre ifconfig gre0 use ip address within loopback0 router subnet up -disable rp_filter enable forwarding echo 0 /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward -iptables : iptables -t tproxy -A PREROUTING -p tcp -m tcp -i gre0 --dport 80 -j TPROXY --on-port 80 -squid.conf : http_port 80 transparent tproxy vhost vport=80 always_direct allow all wccp2_router y.y.y.y wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=dst_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=src_ip_hash,ports_source priority=240 ports=80 -router config (cisco): ip wccp 80 ip wccp 90 int fasteth0 --ip wccp 80 redirect out (gateway to internet) int fasteth1 --ip wccp 90 redirect out (my client gateway) int fasteth3 --ip wccp redirect exclude in (squid-box attached here) check-up access.log -- yes it is increments log check-up my pc by opening whatismyipaddress.com -- yes it is my pc's ip Now, I will try tuning-up my box squid.conf tommorow regards , Tino - Original Message - From: Steven Wilton [EMAIL PROTECTED] To: 'tino' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; 'Squid Developers' squid-dev@squid-cache.org Sent: Wednesday, July 12, 2006 12:53 PM Subject: RE: [Devel] Re: [squid-users] TPROXY on squid-2.6S1 I'm using Debian 3.1 (sarge) with a 2.6.15.6 + cttproxy patch. I've attached a patch that fixes the 1024 fd bug, an NTLM auth bug, and allows NTLM auth to work with pipeline prefetching on. These problems should be fixed in the next squid release. I would like to add the following to my previous list of requirements for tproxy + wccpv2: - You must make sure rp_filter is disabled in the kernel - You must make sure ip_forwarding is enabled in the kernel Can you please check that you've enabled ip_forwarding in your kernel. If that doesn't work, I don't know if the vhost vport=80 is required in the http_port line in the squid config (we don't have these options enabled on our proxies). I use the ip_wccp module to make the kernel handle the GRE packets correctly (which works slightly differently from the ip_gre module). Do you have a GRE tunnel set up in linux? If so, what command are you running to set it up? I don't have an example to give you here, but I'm sure other people are using the ip_gre module with wccp to handle the GRE packets, and should be able to help. Regards Steven -Original Message- From: tino [mailto:[EMAIL PROTECTED] Sent: Wednesday, 12 July 2006 12:53 PM To: Steven Wilton; 'Adrian Chadd' Cc: 'Kashif Ali Bukhari'; [EMAIL PROTECTED]; 'chima s' Subject: Re: [Devel] Re: [squid-users] TPROXY on squid-2.6S1 Hi, Steven, Many2 thank for your config I will immediate hands-on my squid box May I know your distro kernel version ? (for shortcut, incase, I am using fedora4 upgraded to kernel-2.6.15.7 with cttproxy-2.6.15-2.0.4 patch from balabit ) Based-on cachemgr, at least we need 2000-3000 filedescriptor this is my last config which not work : I saw wccp hit increments at router, by redirect packet to squid-box . Service Identifier: 80 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:1123 Redirect access-list:155 Total Packets Denied Redirect: 650922 Total Packets Unassigned:25043 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Service Identifier: 90 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:224 Redirect access-list:156 Total Packets Denied Redirect: 206844 Total Packets Unassigned:17095 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 I saw hit increments in iptables : Chain PREROUTING (policy ACCEPT 11517 packets, 2009K bytes) pkts bytes target prot opt in out source destination 76 24942 TPROXY all -- anyany anywhere anywhere TPROXY redirect 0.0.0.0:3128 But still no hit at access.log, and my host still can't open the web My last squid-box config : #iptables : iptables -t tproxy -A PREROUTING -j TPROXY --on-port 3128 #part squid.conf : http_port 3128 transparent tproxy vhost vport=80 always_direct allow all wccp2_router y.y.y.y wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=dst_ip_hash priority=240 ports=80
RE: [Devel] Re: [squid-users] TPROXY on squid-2.6S1
I'm using Debian 3.1 (sarge) with a 2.6.15.6 + cttproxy patch. I've attached a patch that fixes the 1024 fd bug, an NTLM auth bug, and allows NTLM auth to work with pipeline prefetching on. These problems should be fixed in the next squid release. I would like to add the following to my previous list of requirements for tproxy + wccpv2: - You must make sure rp_filter is disabled in the kernel - You must make sure ip_forwarding is enabled in the kernel Can you please check that you've enabled ip_forwarding in your kernel. If that doesn't work, I don't know if the vhost vport=80 is required in the http_port line in the squid config (we don't have these options enabled on our proxies). I use the ip_wccp module to make the kernel handle the GRE packets correctly (which works slightly differently from the ip_gre module). Do you have a GRE tunnel set up in linux? If so, what command are you running to set it up? I don't have an example to give you here, but I'm sure other people are using the ip_gre module with wccp to handle the GRE packets, and should be able to help. Regards Steven -Original Message- From: tino [mailto:[EMAIL PROTECTED] Sent: Wednesday, 12 July 2006 12:53 PM To: Steven Wilton; 'Adrian Chadd' Cc: 'Kashif Ali Bukhari'; [EMAIL PROTECTED]; 'chima s' Subject: Re: [Devel] Re: [squid-users] TPROXY on squid-2.6S1 Hi, Steven, Many2 thank for your config I will immediate hands-on my squid box May I know your distro kernel version ? (for shortcut, incase, I am using fedora4 upgraded to kernel-2.6.15.7 with cttproxy-2.6.15-2.0.4 patch from balabit ) Based-on cachemgr, at least we need 2000-3000 filedescriptor this is my last config which not work : I saw wccp hit increments at router, by redirect packet to squid-box . Service Identifier: 80 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:1123 Redirect access-list:155 Total Packets Denied Redirect: 650922 Total Packets Unassigned:25043 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Service Identifier: 90 Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:224 Redirect access-list:156 Total Packets Denied Redirect: 206844 Total Packets Unassigned:17095 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 I saw hit increments in iptables : Chain PREROUTING (policy ACCEPT 11517 packets, 2009K bytes) pkts bytes target prot opt in out source destination 76 24942 TPROXY all -- anyany anywhere anywhere TPROXY redirect 0.0.0.0:3128 But still no hit at access.log, and my host still can't open the web My last squid-box config : #iptables : iptables -t tproxy -A PREROUTING -j TPROXY --on-port 3128 #part squid.conf : http_port 3128 transparent tproxy vhost vport=80 always_direct allow all wccp2_router y.y.y.y wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=dst_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=src_ip_hash,ports_source priority=240 ports=80 #part of my cisco config: ip wccp 80 redirect-list 155 ip wccp 90 redirect-list 156 int fasteth0 ip wccp 80 redirect out (gateway to internet) int fasteth1 ip wccp 90 redirect out (my client gateway) int fasteth3 ip wccp redirect exclude in (squid-box attached here) access-list 155 permit ip host x.x.x.x any access-list 156 permit ip any host x.x.x.x #modules: [EMAIL PROTECTED] sbin]# lsmod Module Size Used by ipt_TPROXY 2176 1 iptable_tproxy 17708 1 ip_nat 18604 1 iptable_tproxy ip_conntrack 49836 2 iptable_tproxy,ip_nat ip_tables 20096 2 ipt_TPROXY,iptable_tproxy ip_gre 13472 0 #sysctl: [EMAIL PROTECTED] sbin]# sysctl -a | grep rp.filter net.ipv4.conf.gre0.arp_filter = 0 net.ipv4.conf.gre0.rp_filter = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 many thanks regards, Tino - Original Message - From: Steven Wilton [EMAIL PROTECTED] To: 'Adrian Chadd' [EMAIL PROTECTED]; 'tino' [EMAIL PROTECTED] Cc: 'Kashif Ali Bukhari' [EMAIL PROTECTED]; [EMAIL PROTECTED]; 'chima s' [EMAIL