Hi Guys, first post.
I know there is a lot of material about configuring Squid in Interception Mode in the wiki / lists, like others I'm struggling to understand where problems might exist, currently I have only got as far as routing, ideally I would like a bridged solution. I want to describe completely what my configuration is I think this maybe useful to other users.
I have based my installation on the information on this page: http://wiki.squid-cache.org/Features/Tproxy4 Overall I think the posting is clear, I think it could be improved by adding commands that demonstrate whether the configuration just applied succeeded or not.
My approach is that ideally I could use a distro for the base and inherit everything I need without having to compile code / kernel / etc.
Using Fedora 13 I get the following binaries, comparing these to the prereqs the are all > the defined versions:
Kernel: 2.6.33.5-124
iptables: 1.4.7-2
Squid: 3.1.4-2
libcap: 2.17-1
The Fedora 13 distro has the following Kernel options set:
CONFIG_NF_CONNTRACK=y
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
From the squid.spec from the src rpm shipped with Fedora 13 i.e. squid-3.1.4-2.fc13.src.rpm I can see that the enable linux netfilter is configured
...
...
%ifnarch ppc64 ia64 x86_64 s390x
--with-large-files \
%endif
--enable-linux-netfilter \
--enable-referer-log \
--enable-removal-policies="heap,lru" \
--enable-snmp \
...
...
lsmod on the Squid Host shows tproxy module loaded.
Module Size Used by
sunrpc 192013 1
cpufreq_ondemand 8420 4
acpi_cpufreq 7477 1
freq_table 3851 2 cpufreq_ondemand,acpi_cpufreq
iptable_nat 5420 0
nf_nat 19059 1 iptable_nat
xt_TPROXY 2102 1
xt_socket 2525 1
nf_tproxy_core 2163 2 xt_TPROXY,xt_socket,[permanent]
xt_MARK 1007 1
iptable_mangle 3107 1
ip6t_REJECT 4055 2
nf_conntrack_ipv6 17513 2
ip6table_filter 2743 1
ip6_tables 16558 1 ip6table_filter
ipv6 267033 36 ip6t_REJECT,nf_conntrack_ipv6
uinput 7230 0
tg3 103314 0
pl2303 14822 0
usbserial 32421 1 pl2303
i3200_edac 3104 0
serio_raw 4539 0
edac_core 37487 2 i3200_edac
iTCO_wdt 10864 0
iTCO_vendor_support 2451 1 iTCO_wdt
i2c_i801 10086 0
microcode 17930 0
radeon 589438 0
ttm 53215 1 radeon
drm_kms_helper 23936 1 radeon
drm 169073 3 radeon,ttm,drm_kms_helper
i2c_algo_bit 4781 1 radeon
i2c_core 24507 5 i2c_i801,radeon,drm_kms_helper,drm,i2c_algo_bit
My setup is as follows:
Client (172.27.5.109) -> Squid Host (172.27.5.104) -> Gateway (172.27.5.1)
Internet access from Squid Host is working correctly.
# cat /proc/sys/net/ipv4/conf/lo/rp_filter; cat /proc/sys/net/ipv4/ip_forward
0
1
I modified the default /etc/squid/squid.conf and added the following:
acl our_networks src 172.27.1.0/24 172.27.2.0/24 172.27.3.0/24 172.27.4.0/24 172.27.5.0/24 172.27.6.0/24 172.27.7.0/24
http_access allow our_networks
...
# Squid normally listens to port 3128
http_port 3128
http_port 3129 tproxy
I was getting an error about TPROXY not being present, I disabled selinux as suggested in the wiki page and startup proceeded ok.
Start Squid and netstat the port 3128 is there and I can connect directly to it and get back content (access.log / cache.log content is as expected)
Completing the router configuration as per http://wiki.squid-cache.org/Features/Tproxy4#iptables on a Router device I get the following:
ip rule show
0: from all lookup local
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default
NOTE, should there be more values here? If I do not run ip rule add fwmark 1 lookup 100 I get an empty response no values
# ip route list table 100
local default dev lo scope host
Note below as described in wiki DIVERT is before TPROXY in the PREROUTING.
/etc/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket
2 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain DIVERT (1 references)
num target prot opt source destination
1 MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:21:5E:4D:CB:9A
inet addr:172.27.5.104 Bcast:172.27.5.255 Mask:255.255.255.0
inet6 addr: fe80::221:5eff:fe4d:cb9a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2116 errors:0 dropped:0 overruns:0 frame:0
TX packets:1289 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:243203 (237.5 KiB) TX bytes:219417 (214.2 KiB)
Interrupt:16
eth1 Link encap:Ethernet HWaddr 00:21:5E:4D:CB:9B
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:21
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:240 (240.0 b) TX bytes:240 (240.0 b)
# ping 0.0.0.0
PING 0.0.0.0 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.042 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.012 ms
^C
In this configuration I can connect directly to 3128 using firefox and return webpages. Turning the proxy setting off in Firefox the browser hangs then times out.
From the client if I try to ping an address in the internet the ping hangs.
Any help would be gratefully received,
Damian.
-- Damian O'Neill, Director Software Solutions, BTI Systems, Belfast, UKReceived on Wed Jul 07 2010 - 12:56:25 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 14 2010 - 12:00:03 MDT