Yucong and Eliezer ... Your are definitively right
I fact the tproxy using your method exists on debian squeeze kernel.
That's good
but now i have issue using the tproxy mode.
I have set the network in kernel
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.eth0.send_redirects=0
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects
i have set routing rules mentioned on the wiki pages
routes added
# ip rule add fwmark 1 lookup 100
# ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
# ip route list table 100
local default dev eth0 scope host
#ip rule
0: from all lookup local
32762: from all fwmark 0x1 lookup 100
32763: from all fwmark 0x1 lookup 100
32764: from all fwmark 0x1 lookup 100
32765: from all fwmark 0x1 lookup 100
enabled squid with
http_port 3128 tproxy
http_port 3129
But now i'm unable to go trough internet.
When force browser to pass trough the 3129 port i can browse.
But failed with timed out when define the browser to go directly to
Internet.
I think there is an issue with iptables
On the http://wiki.squid-cache.org/Features/Tproxy4
It is mentioned that if there is timed out, it means that you need to
Check that the /DIVERT/ is done before /TPROXY/ rules in iptables
*PREROUTING* chain
but i have added iptables rules with the "stric order" mentioned and
iptables-save display always :
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip
0.0.0.0 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
You can see that DIVERT is after TPROXY rules.
Perhaps iptables-save command list items sorted rules type...?
Is the issue is the order of iptables rules ? So why adding rules in the
strict order will add always set DIVERT to the end ?
Best regards
Le 02/03/2012 20:16, Yucong Sun (叶雨飞) a écrit :
> I think what happens is the document seems to be wrong, the kernel
> already has TPROXY compiled in , look for /boot/config-xxxx and
> search for TPROXY, it should says "m".
>
> for the iptables rules, you will need to use mangle table, there's no
> tproxy table anymore.
>
> as such
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
> <proxyport> \
> --tproxy-mark 0x1/0x1
>
>
> on my machine ubuntu 10.04 LTS, Linux fullcenter 2.6.32-37-server
> #81-Ubuntu SMP Fri Dec 2 20:49:12 UTC 2011 x86_64 GNU/Linux
> I have TPROXY 4.1.0 included, not sure about debian.
>
> [5282830.948528] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
> [5282830.948533] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
>
>
> However, I do want to add an additional question , suppose my proxy
> machine will be acting as network gateway to my LAN, can I simply
> archive the same effect by simply
> -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT
> 127.0.0.1:xxxx ??? why was tproxy needed in the first place?
>
> Thanks.
>
> On Fri, Mar 2, 2012 at 9:33 AM, David Touzeau<david_at_touzeau.eu> wrote:
>> There is bad news, backports did not change something according Tproxy
>> Only kernel 3.2x is available on backports repository.
>>
>> apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae
>> apt-get install -t squeeze-backports upgrade
>> reboot
>> my kernel is now
>> Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11
>> 14:57:20 UTC 2012 i686 GNU/Linux
>>
>>
>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY
>> --on-port 80
>> WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be
>> ignored in a future release.
>> iptables v1.4.8: can't initialize iptables table `tproxy': Table does not
>> exist (do you need to insmod?)
>> Perhaps iptables or your kernel needs to be upgraded
>>
>> grep -i iptables /boot/config-`uname -r`
>> CONFIG_IP_NF_IPTABLES=m
>> CONFIG_IP6_NF_IPTABLES=m
>> # iptables trigger is under Netfilter config (LED target)
>>
>> SNIF, SNIF
>>
>>
>> Le 02/03/2012 17:03, David Touzeau a écrit :
>>
>>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
>>> TPROXY --on-port 80
>
Received on Fri Mar 02 2012 - 22:24:33 MST
This archive was generated by hypermail 2.2.0 : Sat Mar 03 2012 - 12:00:02 MST