[prev in list] [next in list] [prev in thread] [next in thread]
List: tproxy
Subject: Re: [tproxy] =?utf-8?q?Squid_with_TProxy_Support?=
From: "Chinmay Mahata" <chinmay_mahata () rediffmail ! com>
Date: 2013-07-05 11:13:48
Message-ID: 1372806242.S.17386.31543.H.WUZpcmFzIFJhc215AFJlOiBbdHByb3h5XSBTcXVpZCB3aXRoIFRQcm94eSBTdXBwb3J0.RU.jfsr, jfs1, w2269, 32,
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Firas,
Your understanding is absolutely correct.
Regards,
--Chinmay
From: Firas Rasmy <firasrasmy@yahoo.com>
Sent: Wed, 03 Jul 2013 04:34:02
To: "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu>
Subject: Re: [tproxy] Squid with TProxy Support
Thanks a lot for your reply Eliezer!
I have another question here regarding the following iptables rules, which are needed \
to get TPROXY to work: iptables -t mangle -N DIVERTiptables -t mangle -A DIVERT -j \
MARK --set-mark 1iptables -t mangle -A DIVERT -j ACCEPTiptables -t mangle -A \
PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark \
0x1/0x1 --on-port 3129
What is "-m socket" used for? Man page of iptables says that "-m socket" \
matches if an open socket can be found by doing a socket lookup on the packet. I \
think the following rule is intended for reply packets coming from web servers to \
squid (with the spoofed IP address), am I right? If not, please correct me:iptables \
-t mangle -A PREROUTING -p tcp -m socket -j DIVERT
Best regards,Firas
From: Eliezer Croitoru <eliezer@ngtech.co.il>
To: tproxy@lists.balabit.hu
Sent: Monday, July 1, 2013 11:00 PM
Subject: Re: [tproxy] Squid with TProxy Support
Centos comes with TPROXY so you don't need to recompile or do anything
more then to bundled kernel from CentOS.
Take a small peek at this tutorial:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
The tutorial have all the working examples that are needed for tproxy
with squid.
If you will need more help you can try squid-users.
Eliezer
On 07/01/2013 09:37 PM, Firas Rasmy wrote:
> Hello there!
>
> I'm trying to install squid with TPROXY support. I'm using a Centos 6.4
> (64-bit) with kernel version 2.6.32-358.el6.x86_64 and iptables version
> 4.1.7
>
> I've followed the instructions in
> http://wiki.squid-cache.org/Features/Tproxy4 but unfortunately
> connecting to any website from a client with Chrome browser fails with
> this error:
> Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection
> without sending any
data.
>
> When trying to telnet squid on port 80, I get a connection but the
> connection is closed once I hit any key! I think packets are being
> redirected to squid successfully because if I stop squid, there would be
> no connections at all. Do you have any idea of what might be the reason?
>
> Another question, I have checked that my current kernel was already
> built with those options:
> NF_CONNTRACK=m
> NETFILTER_TPROXY=m
> NETFILTER_XT_MATCH_SOCKET=m
> NETFILTER_XT_TARGET_TPROXY=m
>
> Do I still have to recompile it with patches from
> http://www.balabit.com/downloads/files/tproxy/?
> There are no patches available for this current version. What about
> iptables? Do I need to patch it?
>
> My last question is: TPROXY target in the mangle table is not supposed
> to change anything in the packet header, how the packets with
TPROXY
> target would be redirected to --on-port if the IP header is untouched?!
>
> Thanks a lot for your help!
>
> Best regards,
> Firas
>
>
> _______________________________________________
> tproxy mailing list
> tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
_______________________________________________
tproxy mailing list
tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy
_______________________________________________
tproxy mailing list
tproxy@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy
[Attachment #5 (unknown)]
Hi Firas,<br> Your understanding is absolutely \
correct.<br><br>Regards,<br>--Chinmay <br><br><br><br><br>From: Firas Rasmy \
<firasrasmy@yahoo.com><br>Sent: Wed, 03 Jul 2013 04:34:02 <br>To: \
"tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu><br>Subject: Re: [tproxy] \
Squid with TProxy Support<br> <div style="color:#000; background-color:#fff; \
font-family:arial, helvetica, sans-serif;font-size:10pt"><div style="font-family: \
arial, helvetica, sans-serif; font-size: 10pt;"><span>Thanks a lot for your reply \
Eliezer!</span></div><div style="font-family: arial, helvetica, sans-serif; \
font-size: 13px; color: rgb-0, 0, 0-; background-color: transparent; font-style: \
normal;"><span><br></span></div><div style="font-family: arial, helvetica, \
sans-serif; font-size: 13px; color: rgb-0, 0, 0-; background-color: transparent; \
font-style: normal;"><span>I have another question here regarding the following \
iptables rules, which are needed to get TPROXY to work:</span></div><div \
style="font-family: arial, helvetica, sans-serif; font-size: 13px; color: rgb-0, 0, \
0-; background-color: transparent; font-style: normal;"><span><br></span></div><div \
style="background-color: transparent;"><font size="2">iptables -t mangle -N \
DIVERT</font></div><div style="background-color: transparent;"><font \
size="2">iptables -t mangle -A DIVERT -j MARK --set-mark 1</font></div><div \
style="background-color: transparent;"><font size="2">iptables -t mangle -A DIVERT -j \
ACCEPT</font></div><div style="background-color: transparent;"><span \
style="font-size: 13px; background-color: transparent;">iptables -t mangle -A \
PREROUTING -p tcp -m socket -j DIVERT</span><br></div><div style="background-color: \
transparent;"><font size="2"><span></span></font></div><div style="background-color: \
transparent;"><font size="2"><br></font></div><div style="background-color: \
transparent; color: rgb-0, 0, 0-; font-size: 13px; font-family: arial, helvetica, \
sans-serif; font-style: normal;"><font size="2">iptables -t mangle -A \
PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port \
3129</font></div><div style="font-family: arial, helvetica, sans-serif; font-size: \
10pt;"><br></div><div style="font-family: arial, helvetica, sans-serif; font-size: \
13px; color: rgb-0, 0, 0-; background-color: transparent; font-style: \
normal;"><span><br></span></div><div style="font-family: arial, helvetica, \
sans-serif; font-size: 13px; color: rgb-0, 0, 0-; background-color: transparent; \
font-style: normal;"><span><br></span></div><div style="background-color: \
transparent;"><span style="color: rgb-0, 0, 0-; font-family: arial, helvetica, \
sans-serif; font-size: 13px; font-style: normal;"> What is "-m socket" used for? \
Man page of iptables says that "-m socket" </span><span style="background-color: \
transparent;"><font size="2">matches if an open socket can be found by doing a socket \
lookup on </font></span><span style="font-size: 13px; background-color: \
transparent;">the packet. I think the following rule is intended for reply packets \
coming from web servers to squid (with the spoofed IP address), am I right? If not, \
please correct me:</span></div><div style="background-color: transparent; color: \
rgb-0, 0, 0-; font-size: 13px; font-family: arial, helvetica, sans-serif; font-style: \
normal;"><span style="font-size: 13px; background-color: transparent;">iptables \
-t mangle -A PREROUTING -p tcp -m socket -j DIVERT<br></span></div><div \
style="background-color: transparent; color: rgb-0, 0, 0-; font-size: 13px; \
font-family: arial, helvetica, sans-serif; font-style: normal;"><span \
style="font-size: 13px; background-color: transparent;"><br></span></div><div \
style="background-color: transparent; color: rgb-0, 0, 0-; font-size: 13px; \
font-family: arial, helvetica, sans-serif; font-style: normal;"><span \
style="font-size: 13px; background-color: transparent;">Best \
regards,</span></div><div style="background-color: transparent; color: rgb-0, 0, 0-; \
font-size: 13px; font-family: arial, helvetica, sans-serif; font-style: \
normal;"><span style="font-size: 13px; background-color: \
transparent;">Firas</span></div><div><br></div><div style="font-family: arial, \
helvetica, sans-serif; font-size: 10pt;"><br></div> <div style="font-family: arial, \
helvetica, sans-serif; font-size: 10pt;"> <div style="font-family: 'times new roman', \
'new york', times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font \
face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Eliezer \
Croitoru <eliezer@ngtech.co.il><br> <b><span style="font-weight: \
bold;">To:</span></b> tproxy@lists.balabit.hu <br> <b><span style="font-weight: \
bold;">Sent:</span></b> Monday, July 1, 2013 11:00 PM<br> <b><span \
style="font-weight: bold;">Subject:</span></b> Re: [tproxy] Squid with TProxy \
Support<br> </font> </div> <div cl-ass="y_msg_container"><br>Centos comes with TPROXY \
so you don't need to recompile or do anything <br>more then to bundled kernel from \
CentOS.<br>Take a small peek at this tutorial:<br><a \
href='http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2'>http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2</a><br>The \
tutorial have all the working examples that are needed for tproxy <br>with \
squid.<br><br>If you will need more help you can try \
squid-users.<br><br>Eliezer<br><br>On 07/01/2013 09:37 PM, Firas Rasmy wrote:<br>> \
Hello there!<br>><br>> I'm trying to install squid with TPROXY support. I'm \
using a Centos 6.4<br>> (64-bit) with kernel version 2.6.32-358.el6.x86_64 and \
iptables version<br>> 4.1.7<br>><br>> I've followed the instructions \
in<br>> <a href='http://wiki.squid-cache.org/Features/Tproxy4'>http://wiki.squid-cache.org/Features/Tproxy4 \
</a>but unfortunately<br>> connecting to any website from a client with Chrome \
browser fails with<br>> this error:<br>> Error 324 (net::ERR_EMPTY_RESPONSE): \
The server closed the connection<br>> without sending any data.<br>><br>> \
When trying to telnet squid on port 80, I get a connection but the<br>> connection \
is closed once I hit any key! I think packets are being<br>> redirected to squid \
successfully because if I stop squid, there would be<br>> no connections at all. \
Do you have any idea of what might be the reason?<br>><br>> Another question, I \
have checked that my current kernel was already<br>> built with those \
options:<br>> NF_CONNTRACK=m<br>> NETFILTER_TPROXY=m<br>> \
NETFILTER_XT_MATCH_SOCKET=m<br>> NETFILTER_XT_TARGET_TPROXY=m<br>><br>> Do I \
still have to recompile it with patches from<br>> <a \
href="http://www.rediffmail.com/cgi-bin/red.cgi?account_type=1&red=http%3A%2F%2Fww \
w.balabit.com%2Fdownloads%2Ffiles%2Ftproxy%2F%3F&isImage=0&BlockImage=0&rediffng=0" \
target="_blank">http://www.balabit.com/downloads/files/tproxy/?</a><br>> There are \
no patches available for this current version. What about<br>> iptables? Do I need \
to patch it?<br>><br>> My last question is: TPROXY target in the mangle table \
is not supposed<br>> to change anything in the packet header, how the packets with \
TPROXY<br>> target would be redirected to --on-port if the IP header is \
untouched?!<br>><br>> Thanks a lot for your help!<br>><br>> Best \
regards,<br>> Firas<br>><br>><br>> \
_______________________________________________<br>> tproxy mailing list<br>> \
tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu<br>> <a \
href='https://lists.balabit.hu/mailman/listinfo/tproxy'>https://lists.balabit.hu/mailm \
an/listinfo/tproxy</a><br>><br><br>_______________________________________________<br>tproxy \
mailing list<br>tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu<br><a \
href='https://lists.balabit.hu/mailman/listinfo/tproxy'>https://lists.balabit.hu/mailman/listinfo/tproxy</a><br><br><br></div> \
</div> </div> </div> _______________________________________________<br>
tproxy mailing list<br>
tproxy@lists.balabit.hu<br>
https://lists.balabit.hu/mailman/listinfo/tproxy<br>
<br><A HREF="http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?" \
target="_blank"><IMG \
SRC="http://sigads.rediff.com/RealMedia/ads/adstream_nx.ads/www.rediffmail.com/signatureline.htm@Middle"></A><br><div \
style="font-family:Arial, Helvetica, sans-serif; font-size:14px">Get your own <span \
style="font-size:12px; font-family:Arial, Helvetica, \
sans-serif;background-color:#C00; color:#FFF; padding: 0 3px;"><b>FREE</b></span> \
website and domain with business email solutions, <a \
href="http://track.rediff.com/click?url=___http://hosting.rediff.com/rediffmailpro/business-email?sc_cid=sig___&cmp=sig&lnk=sig&nsrv1=host">click \
here</a></div>
_______________________________________________
tproxy mailing list
tproxy@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic