Re: [squid-users] squid tproxy in ipv6 enviroment.

From: Pawel Mojski <pawcio_at_pawcio.net>
Date: Tue, 26 Jun 2012 13:40:36 +0200

W dniu 26-Jun-12 12:08, Pawel Mojski pisze:
>
>
> v6priv linux # ebtables -t broute -A BROUTING -i eth0 -p ipv6
> --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
> For IP filtering the protocol must be specified as IPv4.
>

Ok, I've found my mistake. I should use --ip6-proto and --ip6-sport.
But, now all commands are accepter but traffic could not work.
I suppose it might be rp_filter configuration but I can not find any
rp_filter switch for ipv6.
Is rp_filter for ipv6 is enabled or disabled per default?

Here is my configuration:
#!/bin/sh
PATH=$PATH:/sbin

LAN="eth1"
WAN="eth0"
ip6tables -t mangle -F
ip6tables -t mangle -X

ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

ebtables -t broute -F
ebtables -t broute -A BROUTING -i $LAN -p ipv6 --ip6-proto tcp
--ip6-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $WAN -p ipv6 --ip6-proto tcp
--ip6-sport 80 -j redirect --redirect-target DROP

After running this, no traffic to port 80 is accepted.

Here are ip6tables stats:
v6priv ~ # ip6tables -t mangle -vL
Chain PREROUTING (policy ACCEPT 27 packets, 1944 bytes)
  pkts bytes target prot opt in out source destination
     0 0 DIVERT tcp any any anywhere
anywhere socket
    52 4160 TPROXY tcp any any anywhere
anywhere tcp dpt:http TPROXY redirect :::3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT 27 packets, 1944 bytes)
  pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt in out source destination

Chain DIVERT (1 references)
  pkts bytes target prot opt in out source destination
     0 0 MARK all any any anywhere
anywhere MARK set 0x1
     0 0 ACCEPT all any any anywhere anywhere

Regards;
Pawel Mojski
Received on Tue Jun 26 2012 - 11:40:47 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 26 2012 - 12:00:04 MDT