You're right Jefrries,
after compiling connection tracking NAT, it doesn't make sense.
I mean, i can't see my browsing log in access.log
no error in cache.log
counter iptables is incrementing. But I still can browse. When i dump
the packet, no header squid appended at response, so the response
didn't come from squid.
how to check that packet from iptables hits squid ?.
or in bridging environment need different solution ?
Thanks.
Johan
On Tue, Jul 7, 2009 at 9:53 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
> johan firdianto wrote:
>>
>> Hold on, I lack compile option connection tracking NAT.
>> let me compile first.
>>
>
> TPROXY was designed to be usable without NAT.
>
> If you can confirm a dependency please report it to the netfilter and
> balabit people.
>
> Amos
>
>>
>> On Tue, Jul 7, 2009 at 9:15 PM, Ritter,
>> Nicholas<Nicholas.Ritter_at_americantv.com> wrote:
>>>
>>> Bridging is a completely different beast...I have not done a bridging
>>> solution, so I can't help as much...with bridging I think you don't use
>>> iptables, but the bridging netfilter tables. That is probably the issue.
>>>
>>>
>>> -----Original Message-----
>>> From: johan firdianto [mailto:johanfirdi_at_gmail.com]
>>> Sent: Tuesday, July 07, 2009 1:50 AM
>>> To: Ritter, Nicholas
>>> Cc: Adrian Chadd; Alexandre DeAraujo; squid-users
>>> Subject: Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency
>>> steps.
>>>
>>> Hi Nick,
>>>
>>> I already tried your example above, with exception I'm using bridge
>>> with 2 ethernet not wccp.
>>> but i don't see something in access_log, when I tried to browse some
>>> sites.
>>> But i still could open the sites.
>>>
>>> 2009/07/07 21:44:17| Reconfiguring Squid Cache (version 3.1.0.9)...
>>> 2009/07/07 21:44:17| FD 10 Closing HTTP connection
>>> 2009/07/07 21:44:17| FD 13 Closing HTTP connection
>>> 2009/07/07 21:44:17| Processing Configuration File:
>>> /usr/local/squid/etc/squid.conf (depth 0)
>>> 2009/07/07 21:44:17| Starting IP Spoofing on port [::]:3129
>>> 2009/07/07 21:44:17| Disabling Authentication on port [::]:3129 (Ip
>>> spoofing enabled)
>>> 2009/07/07 21:44:17| Disabling IPv6 on port [::]:3129 (interception
>>> enabled)
>>> 2009/07/07 21:44:17| Initializing https proxy context
>>> 2009/07/07 21:44:17| DNS Socket created at [::], FD 10
>>> 2009/07/07 21:44:17| Adding domain edgestream.com from /etc/resolv.conf
>>> 2009/07/07 21:44:17| Adding nameserver 202.169.224.44 from
>>> /etc/resolv.conf
>>> 2009/07/07 21:44:17| Accepting HTTP connections at [::]:3128, FD 11.
>>> 2009/07/07 21:44:17| Accepting spoofing HTTP connections at
>>> 0.0.0.0:3129, FD 13.
>>> 2009/07/07 21:44:17| HTCP Disabled.
>>> 2009/07/07 21:44:17| Loaded Icons.
>>> 2009/07/07 21:44:17| Ready to serve requests.
>>>
>>> iptables -t mangle -L -xvn
>>> Chain PREROUTING (policy ACCEPT 9535 packets, 4088554 bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 7326 946003 DIVERT tcp -- * * 0.0.0.0/0
>>> 0.0.0.0/0 socket
>>> 3661 949270 TPROXY tcp -- * * 0.0.0.0/0
>>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 192.168.1.205:3129
>>> mark 0x1/0x1
>>>
>>> Chain INPUT (policy ACCEPT 10693 packets, 1269475 bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>>
>>> Chain FORWARD (policy ACCEPT 13049 packets, 5011079 bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>>
>>> Chain OUTPUT (policy ACCEPT 6481 packets, 2011014 bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>>
>>> Chain POSTROUTING (policy ACCEPT 19530 packets, 7022093 bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>>
>>> Chain DIVERT (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 7326 946003 MARK all -- * * 0.0.0.0/0
>>> 0.0.0.0/0 MARK xset 0x1/0xffffffff
>>> 7326 946003 ACCEPT all -- * * 0.0.0.0/0
>>> 0.0.0.0/0
>>>
>>> ip rule
>>> 0: from all lookup 255
>>> 32764: from all fwmark 0x1 lookup tproxy
>>> 32765: from all fwmark 0x1 lookup tproxy
>>> 32766: from all lookup main
>>> 32767: from all lookup default
>>>
>>> ip route show table 100
>>> local default dev lo scope host
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Jul 2, 2009 at 11:31 AM, Ritter,
>>> Nicholas<Nicholas.Ritter_at_americantv.com> wrote:
>>>>
>>>> I have not finished updating the wiki article for the CentOS example,
>>>
>>> BTW.
>>>>
>>>> I will do this by tomorrow or possibly tonight yet.
>>>>
>>>> Nick
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: adrian.chadd_at_gmail.com [mailto:adrian.chadd_at_gmail.com] On Behalf
>>>
>>> Of Adrian Chadd
>>>>
>>>> Sent: Wednesday, July 01, 2009 11:10 PM
>>>> To: Alexandre DeAraujo
>>>> Cc: Ritter, Nicholas; squid-users
>>>> Subject: Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency
>>>
>>> steps.
>>>>
>>>> This won't work. You're only redirecting half of the traffic flow with
>>>> the wccp web-cache service group. The tproxy code is probably
>>>> correctly trying to originate packets -from- the client IP address to
>>>> the upstream server but because you're only redirecting half of the
>>>> packets (ie, packets from original client to upstream, and not also
>>>> the packets from the upstream to the client <- and this is the flow
>>>> that needs to be hijacked!) things will "hang".
>>>>
>>>> You need to read the TPROXY2 examples and look at the Cisco/Squid WCCP
>>>> setup. There are two service groups configured - 80 and 90 - which
>>>> redirect client -> server and server->client respectively. They have
>>>> the right bits set in the service group definitions to redirect the
>>>> traffic correctly.
>>>>
>>>> The WCCPv2/TPROXY4 pages are hilariously unclear. I ended up having to
>>>> find the TPROXY2 pages to extract the "right" WCCPv2 setup to use,
>>>> then combine that with the TPROXY4 rules. That is fine for me (I know
>>>> a thing or two about this) but it should all be made much, much
>>>> clearer for people trying to set this up.
>>>>
>>>> As I suggested earlier, you may wish to consider fleshing out an
>>>> interception section in the Wiki complete with explanations about how
>>>> all of the various parts of the puzzle hold together.
>>>>
>>>> 2c,
>>>>
>>>>
>>>> adrian
>>>>
>>>> 2009/7/2 Alexandre DeAraujo <alexd_at_cal.net>:
>>>>>
>>>>> I am giving this one more try, but have been unsuccessful. Any help
>>>
>>> is always greatly appreciated.
>>>>>
>>>>> Here is the setup:
>>>>> Router:
>>>>> Cisco 7200 IOS 12.4(25)
>>>>> ip wccp web-cache redirect-list 11
>>>>> access-list 11 permits only selective ip addresses to use wccp
>>>>>
>>>>> Wan interface (Serial)
>>>>> ip wccp web-cache redirect out
>>>>>
>>>>> Global WCCP information:
>>>>> Router information:
>>>>> Router Identifier: 192.168.20.1
>>>>> Protocol Version: 2.0
>>>>>
>>>>> Service Identifier: web-cache
>>>>> Number of Service Group Clients: 1
>>>>> Number of Service Group Routers: 1
>>>>> Total Packets s/w Redirected: 8797
>>>>> Process: 4723
>>>>> Fast: 0
>>>>> CEF: 4074
>>>>> Redirect access-list: 11
>>>>> Total Packets Denied Redirect: 124925546
>>>>> Total Packets Unassigned: 924514
>>>>> Group access-list: -none-
>>>>> Total Messages Denied to Group: 0
>>>>> Total Authentication failures: 0
>>>>> Total Bypassed Packets Received: 0
>>>>>
>>>>> WCCP Client information:
>>>>> WCCP Client ID: 192.168.20.2
>>>>> Protocol Version: 2.0
>>>>> State: Usable
>>>>> Initial Hash Info: 00000000000000000000000000000000
>>>>> 00000000000000000000000000000000
>>>>> Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>>> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>>> Hash Allotment: 256 (100.00%)
>>>>> Packets s/w Redirected: 306
>>>>> Connect Time: 00:21:33
>>>>> Bypassed Packets
>>>>> Process: 0
>>>>> Fast: 0
>>>>> CEF: 0
>>>>> Errors: 0
>>>>>
>>>>> Clients are on FEthernet0/1
>>>>> Squid server is the only device on FEthernet0/3
>>>>> --------------------------------------------------------------------
>>>>> Squid Server:
>>>>> eth0 Link encap:Ethernet HWaddr 00:14:22:21:A1:7D
>>>>> inet addr:192.168.20.2 Bcast:192.168.20.7
>>>
>>> Mask:255.255.255.248
>>>>>
>>>>> inet6 addr: fe80::214:22ff:fe21:a17d/64 Scope:Link
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>> RX packets:3325 errors:0 dropped:0 overruns:0 frame:0
>>>>> TX packets:2606 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:1000
>>>>> RX bytes:335149 (327.2 KiB) TX bytes:394943 (385.6 KiB)
>>>>>
>>>>> gre0 Link encap:UNSPEC HWaddr
>>>
>>> 00-00-00-00-CB-BF-F4-FF-00-00-00-00-00-00-00-00
>>>>>
>>>>> inet addr:192.168.20.2 Mask:255.255.255.248
>>>>> UP RUNNING NOARP MTU:1476 Metric:1
>>>>> RX packets:400 errors:0 dropped:0 overruns:0 frame:0
>>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:0
>>>>> RX bytes:31760 (31.0 KiB) TX bytes:0 (0.0 b)
>>>>> --------------------------------------------------------------------
>>>>> /etc/rc.d/rc.local file:
>>>>> ip rule add fwmark 1 lookup 100
>>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>>> modprobe ip_gre
>>>>> ifconfig gre0 192.168.20.2 netmask 255.255.255.248 up
>>>>> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
>>>>> --------------------------------------------------------------------
>>>>> /etc/sysconfig/iptables file:
>>>>> # Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009
>>>>> *mangle
>>>>> :PREROUTING ACCEPT [166:11172]
>>>>> :INPUT ACCEPT [164:8718]
>>>>> :FORWARD ACCEPT [0:0]
>>>>> :OUTPUT ACCEPT [130:12272]
>>>>> :POSTROUTING ACCEPT [130:12272]
>>>>> :DIVERT - [0:0]
>>>>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>>>>> -A DIVERT -j ACCEPT
>>>>> -A PREROUTING -p tcp -m socket -j DIVERT
>>>>> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128
>>>
>>> --on-ip 192.168.20.2 --tproxy-mark 0x1/0x1
>>>>>
>>>>> COMMIT
>>>>> # Completed on Wed Jul 1 03:32:55 2009
>>>>> # Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009
>>>>> *filter
>>>>> :INPUT ACCEPT [0:0]
>>>>> :FORWARD ACCEPT [0:0]
>>>>> :OUTPUT ACCEPT [160:15168]
>>>>> :RH-Firewall-1-INPUT - [0:0]
>>>>> -A INPUT -i gre0 -j ACCEPT
>>>>> -A INPUT -p gre -j ACCEPT
>>>>> -A INPUT -i eth0 -p gre -j ACCEPT
>>>>> -A INPUT -j RH-Firewall-1-INPUT
>>>>> -A FORWARD -j RH-Firewall-1-INPUT
>>>>> -A RH-Firewall-1-INPUT -s 192.168.20.1/32 -p udp -m udp --dport 2048
>>>
>>> -j ACCEPT
>>>>>
>>>>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>>>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>>>>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
>>>>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
>>>>> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353
>>>
>>> -j ACCEPT
>>>>>
>>>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>>>>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
>>>
>>> -j ACCEPT
>>>>>
>>>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>>>> COMMIT
>>>>> # Completed on Wed Jul 1 03:32:55 2009
>>>>>
>>>>> ---------------------squid.conf------------------------------------
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/32
>>>>> acl to_localhost dst 127.0.0.0/8
>>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>>> acl testing src 10.10.10.0/24
>>>>> acl SSL_ports port 443
>>>>> acl SSL_ports port 8443
>>>>> acl Safe_ports port 80 # http
>>>>> acl Safe_ports port 21 # ftp
>>>>> acl Safe_ports port 443 # https
>>>>> acl Safe_ports port 70 # gopher
>>>>> acl Safe_ports port 210 # wais
>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>> acl Safe_ports port 280 # http-mgmt
>>>>> acl Safe_ports port 488 # gss-http
>>>>> acl Safe_ports port 591 # filemaker
>>>>> acl Safe_ports port 777 # multiling http
>>>>> acl Safe_ports port 8443 # Plesk
>>>>> acl CONNECT method CONNECT
>>>>> http_access allow manager localhost
>>>>> http_access allow testing
>>>>> http_access deny manager
>>>>> http_access deny !Safe_ports
>>>>> http_access deny CONNECT !SSL_ports
>>>>> http_access allow localnet
>>>>> http_access deny all
>>>>> http_port 192.168.20.2:3128 tproxy disable-pmtu-discovery=always
>>>>> hierarchy_stoplist cgi-bin ?
>>>>> hosts_file /etc/hosts
>>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>>> refresh_pattern . 0 20% 4320
>>>>> coredump_dir /var/spool/squid
>>>>>
>>>>> logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A
>>>
>>> %mt
>>>>>
>>>>> access_log /var/log/squid/access.log squid
>>>>> cache_access_log /var/log/squid/access.log
>>>>> cache_log /var/log/squid/cache.log
>>>>> cache_store_log /var/log/squid/store.log
>>>>> debug_options ALL,3
>>>>>
>>>>> cache allow testing
>>>>> cache deny all
>>>>> cache_dir ufs /var/spool/squid 200000 256 256
>>>>> cache_effective_user squid
>>>>> cache_swap_high 100%
>>>>> cache_swap_low 80%
>>>>> cache_mem 2 GB
>>>>> maximum_object_size 8192 KB
>>>>> half_closed_clients on
>>>>> client_db off
>>>>>
>>>>> wccp2_router 192.168.20.1
>>>>> wccp_version 2
>>>>> wccp2_rebuild_wait on
>>>>> wccp2_forwarding_method 1
>>>>> wccp2_return_method 1
>>>>> wccp2_assignment_method 1
>>>>> wccp2_service standard 0
>>>>>
>>>>> visible_hostname Server
>>>>>
>>>>> forwarded_for off
>>>>> ---------------------------------end of
>>>
>>> squid.conf-------------------------------------
>>>>>
>>>>> This is the timeout error when trying to go to www.google.com
>>>>>
>>>>> ERROR
>>>>> The requested URL could not be retrieved
>>>>>
>>>>> The following error was encountered while trying to retrieve the URL:
>>>
>>> http://www.google.com/
>>>>>
>>>>> Connection to 74.125.45.100 failed.
>>>>>
>>>>> The system returned: (110) Connection timed out
>>>>>
>>>>> The remote host or network may be down. Please try the request again.
>>>>>
>>>>> Generated Wed, 01 Jul 2009 21:41:07 GMT by Server (squid/3.1.0.9)
>>>>>
>>>>>
>>>>> Thanks for your help,
>>>>>
>>>>> Alex
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
> Current Beta Squid 3.1.0.9
>
Received on Tue Jul 07 2009 - 15:03:14 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 08 2009 - 12:00:03 MDT