Re: [squid-users] TPROXY 4 from johan firdianto on 2009-10-16 (squid-users)

From: johan firdianto <johanfirdi_at_gmail.com>
Date: Sat, 17 Oct 2009 08:32:03 +0700

Make sure, your triangle routing is working.
packet comes from internet should be routed to your squid first, and
than pass to your client.
Cause your squid comes with single innterface, should be complicated
setup in your router.
your squid in dmz area or not dmz, will be different ways to setup
triangle routing.
better you post your network configuration.
easiest way make your squid act as bridge with double interface.
I think your squid configuration is right.
no need enable-linux-tproxy to compile, that's option just for old tproxy.

Johan

2009/8/31 Farhad Ibragimov <inara.ibragimova_at_gmail.com>:
> Hello ,
>
>
> I am having some trouble redirecting port 80 traffic to 3129 using
> tproxy for transparent proxying.
> The SYNs come in but there is no SYN-ACK going out.
>
> Please help me !!!!!
>
> My server have only one single interface with global ip addresses wich
> connect directly to the internet
>
>
>
> Detailed information from my server
>
> #######################################################################
> ###############
> Squid Cache: Version 3.1.0.13
> configure options: '--enable-linux-netfilter' '--prefix=/squid/' --with-squid=/src/squid-3.1.0.13 --enable-ltdl-convenience
> [root_at_proxymain sysconfig]# cat /squid/etc/squid.conf
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl test src 85.132.47.0/24
> acl test2 src 85.132.32.0/24
> acl test3 src 62.212.227.0/24
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 3129
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access allow test
> http_access allow test2
> http_access allow test3
> http_access deny all
> http_port 3128
> http_port 3129 tproxy
> hierarchy_stoplist cgi-bin ?
> coredump_dir /squid/var/cache
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname proxymain
> cache_dir ufs /cache 6000 16 256
> ######################################################################
> [root_at_proxymain sysconfig]# iptables -V (DOWNLOADED FROM
> NETFILTER.ORG-NOT PATCHED)
> iptables v1.4.3
> #######################################################################
> root_at_proxymain sysconfig]# uname -a (DONLOADED FORM KERNEL.ORG -
> WITHOWT ANY PATCHES FROM bALABIT)
> Linux 2.6.30.5-second #1 SMP Sun Aug 30 22:45:27 AZST 2009 x86_64 x86_64 x86_64 GNU/Linux
> #######################################################################
> Chain PREROUTING (policy ACCEPT)
>
> target prot opt source destination
> DIVERT tcp -- anywhere anywhere socket
> TPROXY tcp -- anywhere anywhere tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain DIVERT (1 references)
> target prot opt source destination
> MARK all -- anywhere anywhere MARK xset 0x1/0xffffffff
> ACCEPT all -- anywhere anywhere
> #######################################################################
>
> [root_at_proxymain sysconfig]# ip rule ls
> 0: from all lookup 255
> 32765: from all fwmark 0x1 lookup 100
> 32766: from all lookup main
> 32767: from all lookup default
> #####################################################################
> [root_at_proxymain sysconfig]# ip route ls table 100
> local default dev lo scope host
> #####################################################################
>
> [root_at_proxymain sysconfig]# lsmod | egrep "xt|nf"
> nf_nat 18924 1 iptable_nat
> nf_conntrack_ipv4 14448 3 iptable_nat,nf_nat
> xt_TPROXY 2616 1
> xt_tcpudp 3544 1
> xt_MARK 3064 1
> xt_socket 2904 1
> nf_tproxy_core 3160 2 xt_TPROXY,xt_socket,[permanent]
> nf_conntrack 68208 4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket
> nf_defrag_ipv4 2456 3 nf_conntrack_ipv4,xt_TPROXY,xt_socket
> x_tables 22624 6 iptable_nat,ip_tables,xt_TPROXY,xt_tcpudp,xt_MARK,xt_socket
> i2c_nforce2 7768 0
> i2c_core 25568 1 i2c_nforce2
> ext3 123528 2
> jbd 46848 1 ext3
> ######################################################################
> [root_at_proxymain sysconfig]# tcpdump -nn -i eth0 port 80
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 00:12:02.402611 IP 85.132.32.40.1532 > 85.132.32.34.80: S 3187993921:3187993921(0) win 65535 <mss 1460,nop,nop,sackOK>
> 00:12:02.403087 IP 85.132.32.34.80 > 85.132.32.40.1532: S 3741385741:3741385741(0) ack 3187993922 win 5840 <mss 1460,nop,nop,sackOK>
> 00:12:02.402697 IP 85.132.32.40.1532 > 85.132.32.34.80: . ack 1 win 65535
> 00:12:02.407937 IP 85.132.32.40.1532 > 85.132.32.34.80: P 1:413(412) ack 1 win 65535
> 00:12:02.407971 IP 85.132.32.34.80 > 85.132.32.40.1532: . ack 413 win 6432
> 00:12:02.408389 IP 85.132.32.40.42747 > 194.87.0.50.80: S 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4169685 0,nop,wscale 7>
> 00:12:05.407861 IP 85.132.32.40.42747 > 194.87.0.50.80: S 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4172685 0,nop,wscale 7>
> 00:12:11.407465 IP 85.132.32.40.42747 > 194.87.0.50.80: S 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4178685 0,nop,wscale 7>
> 00:12:23.406682 IP 85.132.32.40.42747 > 194.87.0.50.80: S 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4190685 0,nop,wscale 7>
> #######################################################################
> ##
> 2009/08/30 23:31:56| Starting Squid Cache version 3.1.0.13 for x86_64-unknown-linux-gnu...
> 2009/08/30 23:31:56| Process ID 12787
> 2009/08/30 23:31:56| With 1024 file descriptors available
> 2009/08/30 23:31:56| Initializing IP Cache...
> 2009/08/30 23:31:56| DNS Socket created at 0.0.0.0, FD 7
> 2009/08/30 23:31:56| Adding domain caspel.com from /etc/resolv.conf
> 2009/08/30 23:31:56| Adding nameserver 85.132.32.41 from /etc/resolv.conf
> 2009/08/30 23:31:56| Adding nameserver 85.132.32.42 from /etc/resolv.conf
> 2009/08/30 23:31:56| Unlinkd pipe opened on FD 12
> 2009/08/30 23:31:56| Store logging disabled
> 2009/08/30 23:31:56| Swap maxSize 6144000 + 262144 KB, estimated 492780 objects
> 2009/08/30 23:31:56| Target number of buckets: 24639
> 2009/08/30 23:31:56| Using 32768 Store buckets
> 2009/08/30 23:31:56| Max Mem size: 262144 KB
> 2009/08/30 23:31:56| Max Swap size: 6144000 KB
> 2009/08/30 23:31:56| Version 1 of swap file without LFS support detected...
> 2009/08/30 23:31:56| Rebuilding storage in /cache (CLEAN)
> 2009/08/30 23:31:56| Using Least Load store dir selection
> 2009/08/30 23:31:56| Set Current Directory to /squid/var/cache
> 2009/08/30 23:31:56| Loaded Icons.
> 2009/08/30 23:31:56| Accepting HTTP connections at 0.0.0.0:3128, FD 15.
> 2009/08/30 23:31:56| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 16.
> 2009/08/30 23:31:56| HTCP Disabled.
> 2009/08/30 23:31:56| Squid modules loaded: 0
> 2009/08/30 23:31:56| Ready to serve requests.
> 2009/08/30 23:31:56| Done reading /cache swaplog (0 entries)
> 2009/08/30 23:31:56| Finished rebuilding storage from disk.
> 2009/08/30 23:31:56| 0 Entries scanned
> 2009/08/30 23:31:56| 0 Invalid entries.
> 2009/08/30 23:31:56| 0 With invalid flags.
> 2009/08/30 23:31:56| 0 Objects loaded.
> 2009/08/30 23:31:56| 0 Objects expired.
> 2009/08/30 23:31:56| 0 Objects cancelled.
> 2009/08/30 23:31:56| 0 Duplicate URLs purged.
> 2009/08/30 23:31:56| 0 Swapfile clashes avoided.
> 2009/08/30 23:31:56| Took 0.01 seconds ( 0.00 objects/sec).
> 2009/08/30 23:31:56| Beginning Validation Procedure
> 2009/08/30 23:31:56| Completed Validation Procedure
> 2009/08/30 23:31:56| Validated 25 Entries
> 2009/08/30 23:31:56| store_swap_size = 0
> 2009/08/30 23:31:57| storeLateRelease: released 0 objects
> [root_at_proxymain sysconfig]#
>
> 1251655621.226 155982 85.132.32.40 TCP_MISS/503 4143 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/www.squid-cache.org text/html
> 1251655621.226 107693 85.132.47.219 TCP_MISS/503 4151 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/www.squid-cache.org text/html
> 1251655621.230 0 85.132.32.40 TCP_MISS/503 4143 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/www.squid-cache.org text/html
> 1251655646.107 6457 85.132.47.219 TCP_MISS/000 0 GET http://www.google.az/ - DIRECT/www.google.az -
> 1251655658.226 60014 85.132.47.219 TCP_MISS/504 4510 POST http://safebrowsing.clients.google.com/safebrowsing/downloads? - DIRECT/safebrowsing.clients.google.com text/html
> 1251656346.912 21227 85.132.32.40 TCP_MISS/000 0 GET http://194.87.0.50/ - DIRECT/194.87.0.50 -
> 1251656526.724 179798 85.132.32.40 TCP_MISS/504 3977 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
> 1251656586.724 59968 85.132.32.40 TCP_MISS/504 4069 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
> 1251656867.544 88637 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
> 1251657043.812 176266 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
> 1251657101.539 60109 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
> 1251657207.136 64675 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
> 1251657387.522 180384 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
> 1251657567.525 179983 85.132.32.40 TCP_MISS/504 4069 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
> 1251657569.936 9407 85.132.47.219 TCP_MISS/000 0 GET http://85.132.32.34/ - DIRECT/85.132.32.34 -
> 1251657725.527 180669 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
> 1251657905.534 179988 85.132.32.40 TCP_MISS/504 4069 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
> 1251658194.669 112560 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
> 1251658283.066 88394 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru -
> 1251658463.543 180476 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
> 1251658643.547 179986 85.132.32.40 TCP_MISS/504 4069 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html
> 1251659072.554 60493 85.132.32.40 TCP_MISS/504 4473 POST http://safebrowsing.clients.google.com/safebrowsing/downloads? - DIRECT/74.125.87.100 text/html
> 1251659703.563 181155 85.132.32.40 TCP_MISS/504 4018 GET http://www.ru/ - DIRECT/194.87.0.50 text/html
> --
>
> Best regards,
> Farhad mailto:inara.ibragimova_at_gmail.com
>
>
Received on Sat Oct 17 2009 - 01:32:10 MDT

This archive was generated by hypermail 2.2.0 : Sat Oct 17 2009 - 12:00:03 MDT