On 10/08/17 15:48, Walter H. wrote:
Hello Eliezer

ip -6 rule is this

0:      from all lookup local
32765:  from all fwmark 0x1 lookup 100
32766:  from all lookup main

the two commands where

ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev br0 table 100

ip6tables-save is this

# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to 84 -m tcp --dport 80 -j DROP
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT

I don't see anywhere in that INPUT list where the TPROXY'd traffic is permitted to reach Squid.

Note that with TPROXY the packets are *not* labeled as going to port 3129 like NAT does. The exact same dst-IP:port details used by the client are seen at this layer of iptables. It is just that they are seen on the INPUT rather than FORWARD tables.

I would add a LOG line at the end of the rules to check whether the above is the problem, then adjust your INPUT restrictions appropriately to what the log line implies.

squid-users mailing list

Reply via email to