________________________________________ From: Ritter, Nicholas Sent: Wednesday, May 27, 2009 12:04 PM To: 'Manish P. Govindji' Subject: RE: Re[2]: squid with tproxy
I remember something important....if you are using a more recent version of TPROXY then what is stated in the squid wiki article....I think the method by which TPROXY is configured in iptables changed a bit to make it more to the liking of the netfilter and kernel developers in an effort to get the TPROXY code included into the netfilter and kernel release code. My setup and the wiki article I wrote are from before these changes, and I have not worked with TPROXY since, so that could be the issue here. I have not downloaded the latest TPROXY code to be sure though. And I think I might have actually seen TPROXY as included in the most recent (ie: 2.6.29) kernel as experimental. I have been meaning to setup a new squid/tproxy system, and update the wiki article...just have not gotten to it yet. I suggest taking a look at the readme with the latest tproxy source code, or even looking at your kernel config to see which tproxy version is being used. If you do a dmesg command and look for the TProxy module loading, I think it tells you what version it is. Nick ________________________________________ From: Manish P. Govindji [mailto:[email protected]] Sent: Wednesday, May 27, 2009 11:43 AM To: Ritter, Nicholas Cc: squid-users Subject: Re[2]: squid with tproxy Thanks a lot for reply, i am already tired pulling my hairs for this one. Sorry, typo its 3128. I do not have the file, /etc/sysconfig/iptables I use iptables in rc.local ##################### #Increase Squid file Descriptors ulimit -HSn 30720 #Start caches /usr/sbin/squid #Enable Forwarding echo '1' > /proc/sys/net/ipv4/ip_forward #disable rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 # defe! nces iptables -A FORWARD -p tcp --syn -m limit -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit iptables -A FORWARD -p icmp --icmp-type echo-request -m limit #Allow established sessions to continue iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ######################## I am using squid as gateway, all the pc are on public IP and Squid is also on public IP as Gateway PC. ( was working as transparent cache, but wanted to use the Tproxy ) Rgds, ________________________________________ -----Original Message----- From: "Ritter, Nicholas" <[email protected]> To: "Manish govindji" <[email protected]> Cc: "squid-users" <[email protected]> Date: 27-05-2009 18:47 Subject: RE: squid with tproxy Port 3128, or 1328? The default port is 3128, but is configurable. Your rules are not right...you are marking, as you should, but not redirecting to the squid port. In addition to sending the output of the raw iptables command, send the contents of /etc/sysconfig/iptables. I think the problem is partly in the rules setup. Are you using wccp as well, and/or a gre interface? Also, make sure you have Full NAT enabled in the kernel. Looks like that is ok though. ________________________________________ From:Manish govindji [mailto:[email protected]] Sent: Wednesday, May 27, 2009 6:06 AM To: [email protected] Subject: squid with tproxy Hello Nicholas, I have been trying to compile squid with tproxy but am failing, have searched all over google but nothing of help. I have centos 5.3, installed custom kernel 2.6.28, and iptables 1.4.3, squid 3.1 In compiling the custom kernel, i copied the old config and added the below :- NF_CONNTRACK NETFILTER_TPROXY NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_TARGET_TPROXY When i do iptables stat :- [r...@gateway ~]# iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 5768K packets, 1538M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1494K packets, 892M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 4234K packets, 638M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2398K packets, 1027M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 6632K packets, 1665M bytes) pkts bytes target prot opt in out source destination Chain DIVERT (0 references) pkts bytes target prot opt in out source destination 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK xor 0x1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 The packets do not get to squid, on port 1328, even if i kill squid pc can still browse. Can you help ? if i am missing a step of something is not right, have followed the latest steps in wiki. Rgds, Manish. $=========================$ Manish P. Govindji. Modern Computer Centre Ltd. P. O. Box 4225, Zanzibar, Tanzania. tel: +255.24.2235928 / 9, fax: +255.24.2230343 [email protected] ................................ "Every man dies. Not every man lives."
