Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency steps.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 08 Jul 2009 02:53:49 +1200

johan firdianto wrote:
> Hold on, I lack compile option connection tracking NAT.
> let me compile first.
>

TPROXY was designed to be usable without NAT.

If you can confirm a dependency please report it to the netfilter and
balabit people.

Amos

>
> On Tue, Jul 7, 2009 at 9:15 PM, Ritter,
> Nicholas<Nicholas.Ritter_at_americantv.com> wrote:
>> Bridging is a completely different beast...I have not done a bridging
>> solution, so I can't help as much...with bridging I think you don't use
>> iptables, but the bridging netfilter tables. That is probably the issue.
>>
>>
>> -----Original Message-----
>> From: johan firdianto [mailto:johanfirdi_at_gmail.com]
>> Sent: Tuesday, July 07, 2009 1:50 AM
>> To: Ritter, Nicholas
>> Cc: Adrian Chadd; Alexandre DeAraujo; squid-users
>> Subject: Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency
>> steps.
>>
>> Hi Nick,
>>
>> I already tried your example above, with exception I'm using bridge
>> with 2 ethernet not wccp.
>> but i don't see something in access_log, when I tried to browse some
>> sites.
>> But i still could open the sites.
>>
>> 2009/07/07 21:44:17| Reconfiguring Squid Cache (version 3.1.0.9)...
>> 2009/07/07 21:44:17| FD 10 Closing HTTP connection
>> 2009/07/07 21:44:17| FD 13 Closing HTTP connection
>> 2009/07/07 21:44:17| Processing Configuration File:
>> /usr/local/squid/etc/squid.conf (depth 0)
>> 2009/07/07 21:44:17| Starting IP Spoofing on port [::]:3129
>> 2009/07/07 21:44:17| Disabling Authentication on port [::]:3129 (Ip
>> spoofing enabled)
>> 2009/07/07 21:44:17| Disabling IPv6 on port [::]:3129 (interception
>> enabled)
>> 2009/07/07 21:44:17| Initializing https proxy context
>> 2009/07/07 21:44:17| DNS Socket created at [::], FD 10
>> 2009/07/07 21:44:17| Adding domain edgestream.com from /etc/resolv.conf
>> 2009/07/07 21:44:17| Adding nameserver 202.169.224.44 from
>> /etc/resolv.conf
>> 2009/07/07 21:44:17| Accepting HTTP connections at [::]:3128, FD 11.
>> 2009/07/07 21:44:17| Accepting spoofing HTTP connections at
>> 0.0.0.0:3129, FD 13.
>> 2009/07/07 21:44:17| HTCP Disabled.
>> 2009/07/07 21:44:17| Loaded Icons.
>> 2009/07/07 21:44:17| Ready to serve requests.
>>
>> iptables -t mangle -L -xvn
>> Chain PREROUTING (policy ACCEPT 9535 packets, 4088554 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 7326 946003 DIVERT tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 socket
>> 3661 949270 TPROXY tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 192.168.1.205:3129
>> mark 0x1/0x1
>>
>> Chain INPUT (policy ACCEPT 10693 packets, 1269475 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain FORWARD (policy ACCEPT 13049 packets, 5011079 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain OUTPUT (policy ACCEPT 6481 packets, 2011014 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain POSTROUTING (policy ACCEPT 19530 packets, 7022093 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain DIVERT (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 7326 946003 MARK all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK xset 0x1/0xffffffff
>> 7326 946003 ACCEPT all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>>
>> ip rule
>> 0: from all lookup 255
>> 32764: from all fwmark 0x1 lookup tproxy
>> 32765: from all fwmark 0x1 lookup tproxy
>> 32766: from all lookup main
>> 32767: from all lookup default
>>
>> ip route show table 100
>> local default dev lo scope host
>>
>>
>>
>>
>>
>> On Thu, Jul 2, 2009 at 11:31 AM, Ritter,
>> Nicholas<Nicholas.Ritter_at_americantv.com> wrote:
>>> I have not finished updating the wiki article for the CentOS example,
>> BTW.
>>> I will do this by tomorrow or possibly tonight yet.
>>>
>>> Nick
>>>
>>>
>>> -----Original Message-----
>>> From: adrian.chadd_at_gmail.com [mailto:adrian.chadd_at_gmail.com] On Behalf
>> Of Adrian Chadd
>>> Sent: Wednesday, July 01, 2009 11:10 PM
>>> To: Alexandre DeAraujo
>>> Cc: Ritter, Nicholas; squid-users
>>> Subject: Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency
>> steps.
>>> This won't work. You're only redirecting half of the traffic flow with
>>> the wccp web-cache service group. The tproxy code is probably
>>> correctly trying to originate packets -from- the client IP address to
>>> the upstream server but because you're only redirecting half of the
>>> packets (ie, packets from original client to upstream, and not also
>>> the packets from the upstream to the client <- and this is the flow
>>> that needs to be hijacked!) things will "hang".
>>>
>>> You need to read the TPROXY2 examples and look at the Cisco/Squid WCCP
>>> setup. There are two service groups configured - 80 and 90 - which
>>> redirect client -> server and server->client respectively. They have
>>> the right bits set in the service group definitions to redirect the
>>> traffic correctly.
>>>
>>> The WCCPv2/TPROXY4 pages are hilariously unclear. I ended up having to
>>> find the TPROXY2 pages to extract the "right" WCCPv2 setup to use,
>>> then combine that with the TPROXY4 rules. That is fine for me (I know
>>> a thing or two about this) but it should all be made much, much
>>> clearer for people trying to set this up.
>>>
>>> As I suggested earlier, you may wish to consider fleshing out an
>>> interception section in the Wiki complete with explanations about how
>>> all of the various parts of the puzzle hold together.
>>>
>>> 2c,
>>>
>>>
>>> adrian
>>>
>>> 2009/7/2 Alexandre DeAraujo <alexd_at_cal.net>:
>>>> I am giving this one more try, but have been unsuccessful. Any help
>> is always greatly appreciated.
>>>> Here is the setup:
>>>> Router:
>>>> Cisco 7200 IOS 12.4(25)
>>>> ip wccp web-cache redirect-list 11
>>>> access-list 11 permits only selective ip addresses to use wccp
>>>>
>>>> Wan interface (Serial)
>>>> ip wccp web-cache redirect out
>>>>
>>>> Global WCCP information:
>>>> Router information:
>>>> Router Identifier: 192.168.20.1
>>>> Protocol Version: 2.0
>>>>
>>>> Service Identifier: web-cache
>>>> Number of Service Group Clients: 1
>>>> Number of Service Group Routers: 1
>>>> Total Packets s/w Redirected: 8797
>>>> Process: 4723
>>>> Fast: 0
>>>> CEF: 4074
>>>> Redirect access-list: 11
>>>> Total Packets Denied Redirect: 124925546
>>>> Total Packets Unassigned: 924514
>>>> Group access-list: -none-
>>>> Total Messages Denied to Group: 0
>>>> Total Authentication failures: 0
>>>> Total Bypassed Packets Received: 0
>>>>
>>>> WCCP Client information:
>>>> WCCP Client ID: 192.168.20.2
>>>> Protocol Version: 2.0
>>>> State: Usable
>>>> Initial Hash Info: 00000000000000000000000000000000
>>>> 00000000000000000000000000000000
>>>> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>> Hash Allotment: 256 (100.00%)
>>>> Packets s/w Redirected: 306
>>>> Connect Time: 00:21:33
>>>> Bypassed Packets
>>>> Process: 0
>>>> Fast: 0
>>>> CEF: 0
>>>> Errors: 0
>>>>
>>>> Clients are on FEthernet0/1
>>>> Squid server is the only device on FEthernet0/3
>>>> --------------------------------------------------------------------
>>>> Squid Server:
>>>> eth0 Link encap:Ethernet HWaddr 00:14:22:21:A1:7D
>>>> inet addr:192.168.20.2 Bcast:192.168.20.7
>> Mask:255.255.255.248
>>>> inet6 addr: fe80::214:22ff:fe21:a17d/64 Scope:Link
>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>> RX packets:3325 errors:0 dropped:0 overruns:0 frame:0
>>>> TX packets:2606 errors:0 dropped:0 overruns:0 carrier:0
>>>> collisions:0 txqueuelen:1000
>>>> RX bytes:335149 (327.2 KiB) TX bytes:394943 (385.6 KiB)
>>>>
>>>> gre0 Link encap:UNSPEC HWaddr
>> 00-00-00-00-CB-BF-F4-FF-00-00-00-00-00-00-00-00
>>>> inet addr:192.168.20.2 Mask:255.255.255.248
>>>> UP RUNNING NOARP MTU:1476 Metric:1
>>>> RX packets:400 errors:0 dropped:0 overruns:0 frame:0
>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>> collisions:0 txqueuelen:0
>>>> RX bytes:31760 (31.0 KiB) TX bytes:0 (0.0 b)
>>>> --------------------------------------------------------------------
>>>> /etc/rc.d/rc.local file:
>>>> ip rule add fwmark 1 lookup 100
>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>> modprobe ip_gre
>>>> ifconfig gre0 192.168.20.2 netmask 255.255.255.248 up
>>>> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
>>>> --------------------------------------------------------------------
>>>> /etc/sysconfig/iptables file:
>>>> # Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009
>>>> *mangle
>>>> :PREROUTING ACCEPT [166:11172]
>>>> :INPUT ACCEPT [164:8718]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [130:12272]
>>>> :POSTROUTING ACCEPT [130:12272]
>>>> :DIVERT - [0:0]
>>>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>>>> -A DIVERT -j ACCEPT
>>>> -A PREROUTING -p tcp -m socket -j DIVERT
>>>> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128
>> --on-ip 192.168.20.2 --tproxy-mark 0x1/0x1
>>>> COMMIT
>>>> # Completed on Wed Jul 1 03:32:55 2009
>>>> # Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009
>>>> *filter
>>>> :INPUT ACCEPT [0:0]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [160:15168]
>>>> :RH-Firewall-1-INPUT - [0:0]
>>>> -A INPUT -i gre0 -j ACCEPT
>>>> -A INPUT -p gre -j ACCEPT
>>>> -A INPUT -i eth0 -p gre -j ACCEPT
>>>> -A INPUT -j RH-Firewall-1-INPUT
>>>> -A FORWARD -j RH-Firewall-1-INPUT
>>>> -A RH-Firewall-1-INPUT -s 192.168.20.1/32 -p udp -m udp --dport 2048
>> -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353
>> -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
>> -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>>> COMMIT
>>>> # Completed on Wed Jul 1 03:32:55 2009
>>>>
>>>> ---------------------squid.conf------------------------------------
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/32
>>>> acl to_localhost dst 127.0.0.0/8
>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>> acl testing src 10.10.10.0/24
>>>> acl SSL_ports port 443
>>>> acl SSL_ports port 8443
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 # https
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl Safe_ports port 8443 # Plesk
>>>> acl CONNECT method CONNECT
>>>> http_access allow manager localhost
>>>> http_access allow testing
>>>> http_access deny manager
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow localnet
>>>> http_access deny all
>>>> http_port 192.168.20.2:3128 tproxy disable-pmtu-discovery=always
>>>> hierarchy_stoplist cgi-bin ?
>>>> hosts_file /etc/hosts
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>> refresh_pattern . 0 20% 4320
>>>> coredump_dir /var/spool/squid
>>>>
>>>> logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A
>> %mt
>>>> access_log /var/log/squid/access.log squid
>>>> cache_access_log /var/log/squid/access.log
>>>> cache_log /var/log/squid/cache.log
>>>> cache_store_log /var/log/squid/store.log
>>>> debug_options ALL,3
>>>>
>>>> cache allow testing
>>>> cache deny all
>>>> cache_dir ufs /var/spool/squid 200000 256 256
>>>> cache_effective_user squid
>>>> cache_swap_high 100%
>>>> cache_swap_low 80%
>>>> cache_mem 2 GB
>>>> maximum_object_size 8192 KB
>>>> half_closed_clients on
>>>> client_db off
>>>>
>>>> wccp2_router 192.168.20.1
>>>> wccp_version 2
>>>> wccp2_rebuild_wait on
>>>> wccp2_forwarding_method 1
>>>> wccp2_return_method 1
>>>> wccp2_assignment_method 1
>>>> wccp2_service standard 0
>>>>
>>>> visible_hostname Server
>>>>
>>>> forwarded_for off
>>>> ---------------------------------end of
>> squid.conf-------------------------------------
>>>> This is the timeout error when trying to go to www.google.com
>>>>
>>>> ERROR
>>>> The requested URL could not be retrieved
>>>>
>>>> The following error was encountered while trying to retrieve the URL:
>> http://www.google.com/
>>>> Connection to 74.125.45.100 failed.
>>>>
>>>> The system returned: (110) Connection timed out
>>>>
>>>> The remote host or network may be down. Please try the request again.
>>>>
>>>> Generated Wed, 01 Jul 2009 21:41:07 GMT by Server (squid/3.1.0.9)
>>>>
>>>>
>>>> Thanks for your help,
>>>>
>>>> Alex
>>>>
>>>>
>>>>
>>>>
>>>
>>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.9
Received on Tue Jul 07 2009 - 14:54:14 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 07 2009 - 12:00:02 MDT