Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency steps.

From: johan firdianto <johanfirdi_at_gmail.com>
Date: Tue, 7 Jul 2009 21:45:24 +0700

Hold on, I lack compile option connection tracking NAT.
let me compile first.

On Tue, Jul 7, 2009 at 9:15 PM, Ritter,
Nicholas<Nicholas.Ritter_at_americantv.com> wrote:
> Bridging is a completely different beast...I have not done a bridging
> solution, so I can't help as much...with bridging I think you don't use
> iptables, but the bridging netfilter tables. That is probably the issue.
>
>
> -----Original Message-----
> From: johan firdianto [mailto:johanfirdi_at_gmail.com]
> Sent: Tuesday, July 07, 2009 1:50 AM
> To: Ritter, Nicholas
> Cc: Adrian Chadd; Alexandre DeAraujo; squid-users
> Subject: Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency
> steps.
>
> Hi Nick,
>
> I already tried your example above, with exception I'm using bridge
> with 2 ethernet not wccp.
> but i don't see something in access_log, when I tried to browse some
> sites.
> But i still could open the sites.
>
> 2009/07/07 21:44:17| Reconfiguring Squid Cache (version 3.1.0.9)...
> 2009/07/07 21:44:17| FD 10 Closing HTTP connection
> 2009/07/07 21:44:17| FD 13 Closing HTTP connection
> 2009/07/07 21:44:17| Processing Configuration File:
> /usr/local/squid/etc/squid.conf (depth 0)
> 2009/07/07 21:44:17| Starting IP Spoofing on port [::]:3129
> 2009/07/07 21:44:17| Disabling Authentication on port [::]:3129 (Ip
> spoofing enabled)
> 2009/07/07 21:44:17| Disabling IPv6 on port [::]:3129 (interception
> enabled)
> 2009/07/07 21:44:17| Initializing https proxy context
> 2009/07/07 21:44:17| DNS Socket created at [::], FD 10
> 2009/07/07 21:44:17| Adding domain edgestream.com from /etc/resolv.conf
> 2009/07/07 21:44:17| Adding nameserver 202.169.224.44 from
> /etc/resolv.conf
> 2009/07/07 21:44:17| Accepting HTTP connections at [::]:3128, FD 11.
> 2009/07/07 21:44:17| Accepting spoofing HTTP connections at
> 0.0.0.0:3129, FD 13.
> 2009/07/07 21:44:17| HTCP Disabled.
> 2009/07/07 21:44:17| Loaded Icons.
> 2009/07/07 21:44:17| Ready to serve requests.
>
> iptables -t mangle -L -xvn
> Chain PREROUTING (policy ACCEPT 9535 packets, 4088554 bytes)
> pkts bytes target prot opt in out source
> destination
> 7326 946003 DIVERT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 socket
> 3661 949270 TPROXY tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 192.168.1.205:3129
> mark 0x1/0x1
>
> Chain INPUT (policy ACCEPT 10693 packets, 1269475 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 13049 packets, 5011079 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 6481 packets, 2011014 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 19530 packets, 7022093 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain DIVERT (1 references)
> pkts bytes target prot opt in out source
> destination
> 7326 946003 MARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK xset 0x1/0xffffffff
> 7326 946003 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> ip rule
> 0: from all lookup 255
> 32764: from all fwmark 0x1 lookup tproxy
> 32765: from all fwmark 0x1 lookup tproxy
> 32766: from all lookup main
> 32767: from all lookup default
>
> ip route show table 100
> local default dev lo scope host
>
>
>
>
>
> On Thu, Jul 2, 2009 at 11:31 AM, Ritter,
> Nicholas<Nicholas.Ritter_at_americantv.com> wrote:
>> I have not finished updating the wiki article for the CentOS example,
> BTW.
>>
>> I will do this by tomorrow or possibly tonight yet.
>>
>> Nick
>>
>>
>> -----Original Message-----
>> From: adrian.chadd_at_gmail.com [mailto:adrian.chadd_at_gmail.com] On Behalf
> Of Adrian Chadd
>> Sent: Wednesday, July 01, 2009 11:10 PM
>> To: Alexandre DeAraujo
>> Cc: Ritter, Nicholas; squid-users
>> Subject: Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency
> steps.
>>
>> This won't work. You're only redirecting half of the traffic flow with
>> the wccp web-cache service group. The tproxy code is probably
>> correctly trying to originate packets -from- the client IP address to
>> the upstream server but because you're only redirecting half of the
>> packets (ie, packets from original client to upstream, and not also
>> the packets from the upstream to the client <- and this is the flow
>> that needs to be hijacked!) things will "hang".
>>
>> You need to read the TPROXY2 examples and look at the Cisco/Squid WCCP
>> setup. There are two service groups configured - 80 and 90 - which
>> redirect client -> server and server->client respectively. They have
>> the right bits set in the service group definitions to redirect the
>> traffic correctly.
>>
>> The WCCPv2/TPROXY4 pages are hilariously unclear. I ended up having to
>> find the TPROXY2 pages to extract the "right" WCCPv2 setup to use,
>> then combine that with the TPROXY4 rules. That is fine for me (I know
>> a thing or two about this) but it should all be made much, much
>> clearer for people trying to set this up.
>>
>> As I suggested earlier, you may wish to consider fleshing out an
>> interception section in the Wiki complete with explanations about how
>> all of the various parts of the puzzle hold together.
>>
>> 2c,
>>
>>
>> adrian
>>
>> 2009/7/2 Alexandre DeAraujo <alexd_at_cal.net>:
>>> I am giving this one more try, but have been unsuccessful. Any help
> is always greatly appreciated.
>>>
>>> Here is the setup:
>>> Router:
>>> Cisco 7200 IOS 12.4(25)
>>> ip wccp web-cache redirect-list 11
>>> access-list 11 permits only selective ip addresses to use wccp
>>>
>>> Wan interface (Serial)
>>> ip wccp web-cache redirect out
>>>
>>> Global WCCP information:
>>> Router information:
>>> Router Identifier: 192.168.20.1
>>> Protocol Version: 2.0
>>>
>>> Service Identifier: web-cache
>>> Number of Service Group Clients: 1
>>> Number of Service Group Routers: 1
>>> Total Packets s/w Redirected: 8797
>>> Process: 4723
>>> Fast: 0
>>> CEF: 4074
>>> Redirect access-list: 11
>>> Total Packets Denied Redirect: 124925546
>>> Total Packets Unassigned: 924514
>>> Group access-list: -none-
>>> Total Messages Denied to Group: 0
>>> Total Authentication failures: 0
>>> Total Bypassed Packets Received: 0
>>>
>>> WCCP Client information:
>>> WCCP Client ID: 192.168.20.2
>>> Protocol Version: 2.0
>>> State: Usable
>>> Initial Hash Info: 00000000000000000000000000000000
>>> 00000000000000000000000000000000
>>> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>> Hash Allotment: 256 (100.00%)
>>> Packets s/w Redirected: 306
>>> Connect Time: 00:21:33
>>> Bypassed Packets
>>> Process: 0
>>> Fast: 0
>>> CEF: 0
>>> Errors: 0
>>>
>>> Clients are on FEthernet0/1
>>> Squid server is the only device on FEthernet0/3
>>> --------------------------------------------------------------------
>>> Squid Server:
>>> eth0 Link encap:Ethernet HWaddr 00:14:22:21:A1:7D
>>> inet addr:192.168.20.2 Bcast:192.168.20.7
> Mask:255.255.255.248
>>> inet6 addr: fe80::214:22ff:fe21:a17d/64 Scope:Link
>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>> RX packets:3325 errors:0 dropped:0 overruns:0 frame:0
>>> TX packets:2606 errors:0 dropped:0 overruns:0 carrier:0
>>> collisions:0 txqueuelen:1000
>>> RX bytes:335149 (327.2 KiB) TX bytes:394943 (385.6 KiB)
>>>
>>> gre0 Link encap:UNSPEC HWaddr
> 00-00-00-00-CB-BF-F4-FF-00-00-00-00-00-00-00-00
>>> inet addr:192.168.20.2 Mask:255.255.255.248
>>> UP RUNNING NOARP MTU:1476 Metric:1
>>> RX packets:400 errors:0 dropped:0 overruns:0 frame:0
>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>> collisions:0 txqueuelen:0
>>> RX bytes:31760 (31.0 KiB) TX bytes:0 (0.0 b)
>>> --------------------------------------------------------------------
>>> /etc/rc.d/rc.local file:
>>> ip rule add fwmark 1 lookup 100
>>> ip route add local 0.0.0.0/0 dev lo table 100
>>> modprobe ip_gre
>>> ifconfig gre0 192.168.20.2 netmask 255.255.255.248 up
>>> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
>>> --------------------------------------------------------------------
>>> /etc/sysconfig/iptables file:
>>> # Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009
>>> *mangle
>>> :PREROUTING ACCEPT [166:11172]
>>> :INPUT ACCEPT [164:8718]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [130:12272]
>>> :POSTROUTING ACCEPT [130:12272]
>>> :DIVERT - [0:0]
>>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>>> -A DIVERT -j ACCEPT
>>> -A PREROUTING -p tcp -m socket -j DIVERT
>>> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128
> --on-ip 192.168.20.2 --tproxy-mark 0x1/0x1
>>> COMMIT
>>> # Completed on Wed Jul 1 03:32:55 2009
>>> # Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [160:15168]
>>> :RH-Firewall-1-INPUT - [0:0]
>>> -A INPUT -i gre0 -j ACCEPT
>>> -A INPUT -p gre -j ACCEPT
>>> -A INPUT -i eth0 -p gre -j ACCEPT
>>> -A INPUT -j RH-Firewall-1-INPUT
>>> -A FORWARD -j RH-Firewall-1-INPUT
>>> -A RH-Firewall-1-INPUT -s 192.168.20.1/32 -p udp -m udp --dport 2048
> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
>>> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353
> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>> COMMIT
>>> # Completed on Wed Jul 1 03:32:55 2009
>>>
>>> ---------------------squid.conf------------------------------------
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32
>>> acl to_localhost dst 127.0.0.0/8
>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl testing src 10.10.10.0/24
>>> acl SSL_ports port 443
>>> acl SSL_ports port 8443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl Safe_ports port 8443 # Plesk
>>> acl CONNECT method CONNECT
>>> http_access allow manager localhost
>>> http_access allow testing
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localnet
>>> http_access deny all
>>> http_port 192.168.20.2:3128 tproxy disable-pmtu-discovery=always
>>> hierarchy_stoplist cgi-bin ?
>>> hosts_file /etc/hosts
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>> coredump_dir /var/spool/squid
>>>
>>> logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A
> %mt
>>> access_log /var/log/squid/access.log squid
>>> cache_access_log /var/log/squid/access.log
>>> cache_log /var/log/squid/cache.log
>>> cache_store_log /var/log/squid/store.log
>>> debug_options ALL,3
>>>
>>> cache allow testing
>>> cache deny all
>>> cache_dir ufs /var/spool/squid 200000 256 256
>>> cache_effective_user squid
>>> cache_swap_high 100%
>>> cache_swap_low 80%
>>> cache_mem 2 GB
>>> maximum_object_size 8192 KB
>>> half_closed_clients on
>>> client_db off
>>>
>>> wccp2_router 192.168.20.1
>>> wccp_version 2
>>> wccp2_rebuild_wait on
>>> wccp2_forwarding_method 1
>>> wccp2_return_method 1
>>> wccp2_assignment_method 1
>>> wccp2_service standard 0
>>>
>>> visible_hostname Server
>>>
>>> forwarded_for off
>>> ---------------------------------end of
> squid.conf-------------------------------------
>>> This is the timeout error when trying to go to www.google.com
>>>
>>> ERROR
>>> The requested URL could not be retrieved
>>>
>>> The following error was encountered while trying to retrieve the URL:
> http://www.google.com/
>>>
>>> Connection to 74.125.45.100 failed.
>>>
>>> The system returned: (110) Connection timed out
>>>
>>> The remote host or network may be down. Please try the request again.
>>>
>>> Generated Wed, 01 Jul 2009 21:41:07 GMT by Server (squid/3.1.0.9)
>>>
>>>
>>> Thanks for your help,
>>>
>>> Alex
>>>
>>>
>>>
>>>
>>
>>
>
>
Received on Tue Jul 07 2009 - 14:45:34 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 07 2009 - 12:00:02 MDT