Hello!
I am using:
- Slackware Linux Bridge working fine (eth0 = Internet and eth1 = Users)
- Latest 2.6.37 kernel
- Iptables 1.4.9
- Ebtables 2.0.9-2
- Squid 3.1.10
I configured squid.conf with
http_port 3129 tproxy , and it's working:
tcp 0 0 0.0.0.0:3129 0.0.0.0:*
LISTEN 3370/(squid)
My kernel has the support:
# zcat /proc/config.gz | grep -E
'(NF_CONNTRACK=|TPROXY|XT_MATCH_SOCKET|XT_TARGET_TPROXY)'
CONFIG_NF_CONNTRACK=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
According to a research I did in this list, I should use, for this kernel:
ip rule add dev fwmark 1 lookup 100
ip rule add dev eth0 fwmark 1 lookup 100
ip rule add dev eth1 fwmark 1 lookup 100
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects
ip route add local 0.0.0.0/0 dev lo table 100
ebtables -t broute -I BROUTING -i eth1 -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -I BROUTING -i eth0 -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY
--on-port 3129 --tproxy-mark 0x1/0x1
cd /proc/sys/net/bridge/
for i in *
do
echo 0 > $i
done
unset i
When I try to connect from a user's computer to any websites, the
connection hangs and never completes. I used tcpdump and can't see any
packets redirected to 3129, but the rules have matches:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
116 7168 DIVERT tcp -- * * 0.0.0.0/0
0.0.0.0/0 socket
13 756 TPROXY tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
0x1/0x1
Chain INPUT (policy ACCEPT 115 packets, 7128 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 63 packets, 19880 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 63 packets, 19880 bytes)
pkts bytes target prot opt in out source
destination
Chain DIVERT (1 references)
pkts bytes target prot opt in out source
destination
116 7168 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK set 0x1
116 7168 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
If I delete the ebtables' rules, I can navigate, but without passing
squid (the connections goes direct).
Am I doing something wrong? Can you point me any discution or
documentation regarding this issue?
Thank you VERY much in advance for your time and help!!
Received on Mon Jan 24 2011 - 15:30:12 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 25 2011 - 12:00:03 MST