On 10/08/17 15:48, Walter H. wrote:
Hello Eliezer
ip -6 rule is this
0: from all lookup local
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
the two commands where
ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev br0 table 100
ip6tables-save is this
<BEGIN>
# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm
--to 84 -m tcp --dport 80 -j DROP
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128
-m state --state NEW -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129
-m state --state NEW -j ACCEPT
I don't see anywhere in that INPUT list where the TPROXY'd traffic is
permitted to reach Squid.
Note that with TPROXY the packets are *not* labeled as going to port
3129 like NAT does. The exact same dst-IP:port details used by the
client are seen at this layer of iptables. It is just that they are seen
on the INPUT rather than FORWARD tables.
I would add a LOG line at the end of the rules to check whether the
above is the problem, then adjust your INPUT restrictions appropriately
to what the log line implies.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
