[prev in list] [next in list] [prev in thread] [next in thread]
List: tproxy
Subject: Re: [tproxy] Squid with TProxy Support
From: Eliezer Croitoru <eliezer () ngtech ! co ! il>
Date: 2013-07-05 13:32:59
Message-ID: 51D6CB0B.3030603 () ngtech ! co ! il
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
These comments was meant to give you information long ago..
It gives the big picture to the one who actually needs it.
Most people that dont understand can ask freely on the mailing lists
which are the best resource I know of.
Using mailing list real people can understand and explain to you the
difference between what you understand and do not.
If you do know how iptables works it will be simple to understand this
logic.
If you are new to iptables or to linux it's better to Ask rather then
just do not understand their meanings.
Eliezer
On 07/05/2013 04:03 PM, Firas Rasmy wrote:
> Thanks a lot Chinmay and Eliezer,
>
> I think the comments on the iptables rules in
> http://wiki.squid-cache.org/Features/Tproxy4 are a bit confusing!
>
> Best regards,
> Firas
>
> ------------------------------------------------------------------------
> *From:* Chinmay Mahata <chinmay_mahata@rediffmail.com>
> *To:* Firas Rasmy <firasrasmy@yahoo.com>
> *Cc:* "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu>
> *Sent:* Friday, July 5, 2013 2:13 PM
> *Subject:* Re: [tproxy] Squid with TProxy Support
>
> Hi Firas,
> Your understanding is absolutely correct.
>
> Regards,
> --Chinmay
>
>
>
>
> From: Firas Rasmy <firasrasmy@yahoo.com>
> Sent: Wed, 03 Jul 2013 04:34:02
> To: "tproxy@lists.balabit.hu" <tproxy@lists.balabit.hu>
> Subject: Re: [tproxy] Squid with TProxy Support
> Thanks a lot for your reply Eliezer!
>
> I have another question here regarding the following iptables rules,
> which are needed to get TPROXY to work:
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
>
>
>
> What is "-m socket" used for? Man page of iptables says that "-m
> socket" matches if an open socket can be found by doing a socket
> lookup on the packet. I think the following rule is intended for reply
> packets coming from web servers to squid (with the spoofed IP
> address), am I right? If not, please correct me:
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> Best regards,
> Firas
>
>
> ------------------------------------------------------------------------
> *From:* Eliezer Croitoru <eliezer@ngtech.co.il>
> *To:* tproxy@lists.balabit.hu
> *Sent:* Monday, July 1, 2013 11:00 PM
> *Subject:* Re: [tproxy] Squid with TProxy Support
>
> Centos comes with TPROXY so you don't need to recompile or do anything
> more then to bundled kernel from CentOS.
> Take a small peek at this tutorial:
> http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2
> The tutorial have all the working examples that are needed for tproxy
> with squid.
>
> If you will need more help you can try squid-users.
>
> Eliezer
>
> On 07/01/2013 09:37 PM, Firas Rasmy wrote:
> > Hello there!
> >
> > I'm trying to install squid with TPROXY support. I'm using a Centos 6.4
> > (64-bit) with kernel version 2.6.32-358.el6.x86_64 and iptables version
> > 4.1.7
> >
> > I've followed the instructions in
> > http://wiki.squid-cache.org/Features/Tproxy4 but unfortunately
> > connecting to any website from a client with Chrome browser fails with
> > this error:
> > Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection
> > without sending any data.
> >
> > When trying to telnet squid on port 80, I get a connection but the
> > connection is closed once I hit any key! I think packets are being
> > redirected to squid successfully because if I stop squid, there would be
> > no connections at all. Do you have any idea of what might be the reason?
> >
> > Another question, I have checked that my current kernel was already
> > built with those options:
> > NF_CONNTRACK=m
> > NETFILTER_TPROXY=m
> > NETFILTER_XT_MATCH_SOCKET=m
> > NETFILTER_XT_TARGET_TPROXY=m
> >
> > Do I still have to recompile it with patches from
> > http://www.balabit.com/downloads/files/tproxy/?
> <http://www.rediffmail.com/cgi-bin/red.cgi?account_type=1&red=http%3A%2F%2Fwww.balabit.com%2Fdownloads%2Ffiles%2Ftproxy%2F%3F&isImage=0&BlockImage=0&rediffng=0>
>
> > There are no patches available for this current version. What about
> > iptables? Do I need to patch it?
> >
> > My last question is: TPROXY target in the mangle table is not supposed
> > to change anything in the packet header, how the packets with TPROXY
> > target would be redirected to --on-port if the IP header is untouched?!
> >
> > Thanks a lot for your help!
> >
> > Best regards,
> > Firas
> >
> >
> > _______________________________________________
> > tproxy mailing list
> > tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/tproxy
> >
>
> _______________________________________________
> tproxy mailing list
> tproxy@lists.balabit.hu');" >tproxy@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
>
> _______________________________________________
> tproxy mailing list
> tproxy@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
> <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?>
> Get your own *FREE* website and domain with business email solutions,
> click here
> <http://track.rediff.com/click?url=___http://hosting.rediff.com/rediffmailpro/business-email?sc_cid=sig___&cmp=sig&lnk=sig&nsrv1=host>
>
>
>
>
> _______________________________________________
> tproxy mailing list
> tproxy@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">These comments was meant to give you
information long ago..<br>
It gives the big picture to the one who actually needs it.<br>
Most people that dont understand can ask freely on the mailing
lists which are the best resource I know of.<br>
Using mailing list real people can understand and explain to you
the difference between what you understand and do not.<br>
<br>
If you do know how iptables works it will be simple to understand
this logic.<br>
If you are new to iptables or to linux it's better to Ask rather
then just do not understand their meanings.<br>
<br>
Eliezer<br>
<br>
<br>
On 07/05/2013 04:03 PM, Firas Rasmy wrote:<br>
</div>
<blockquote
cite="mid:1373029430.36653.YahooMailNeo@web120402.mail.ne1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:arial,
helvetica, sans-serif;font-size:10pt">
<div>Thanks a lot Chinmay and Eliezer,</div>
<div><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
arial, helvetica, sans-serif; background-color: transparent;
font-style: normal;">I think the comments on the iptables
rules in <a moz-do-not-send="true"
href="http://wiki.squid-cache.org/Features/Tproxy4"
style="font-size: \
10pt;">http://wiki.squid-cache.org/Features/Tproxy4</a> are a bit \
confusing!<br> </div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
arial, helvetica, sans-serif; background-color: transparent;
font-style: normal;"><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
arial, helvetica, sans-serif; background-color: transparent;
font-style: normal;">Best regards,</div>
<div style="color: rgb(0, 0, 0); font-size: 13px; font-family:
arial, helvetica, sans-serif; background-color: transparent;
font-style: normal;">Firas</div>
<div><br>
</div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 10pt;">
<div style="font-family: 'times new roman', 'new york', times,
serif; font-size: 12pt;">
<div dir="ltr">
<hr size="1"> <font face="Arial" size="2"> <b><span
style="font-weight:bold;">From:</span></b> Chinmay
Mahata <a class="moz-txt-link-rfc2396E" \
href="mailto:chinmay_mahata@rediffmail.com"><chinmay_mahata@rediffmail.com></a><br>
<b><span style="font-weight: bold;">To:</span></b> Firas
Rasmy <a class="moz-txt-link-rfc2396E" \
href="mailto:firasrasmy@yahoo.com"><firasrasmy@yahoo.com></a> <br> <b><span \
style="font-weight: bold;">Cc:</span></b>
<a class="moz-txt-link-rfc2396E" \
href="mailto:tproxy@lists.balabit.hu">"tproxy@lists.balabit.hu"</a>
<a class="moz-txt-link-rfc2396E" \
href="mailto:tproxy@lists.balabit.hu"><tproxy@lists.balabit.hu></a> <br> \
<b><span style="font-weight: bold;">Sent:</span></b> Friday, July 5, 2013 2:13 \
PM<br> <b><span style="font-weight: bold;">Subject:</span></b>
Re: [tproxy] Squid with TProxy Support<br>
</font> </div>
<div class="y_msg_container"><br>
<div id="yiv0878288906">Hi Firas,<br>
Your understanding is absolutely correct.<br>
<br>
Regards,<br>
--Chinmay <br>
<br>
<br>
<br>
<br>
From: Firas Rasmy <a class="moz-txt-link-rfc2396E" \
href="mailto:firasrasmy@yahoo.com"><firasrasmy@yahoo.com></a><br> Sent: Wed, \
03 Jul 2013 04:34:02 <br>
To: <a class="moz-txt-link-rfc2396E" \
href="mailto:tproxy@lists.balabit.hu">"tproxy@lists.balabit.hu"</a>
<a class="moz-txt-link-rfc2396E" \
href="mailto:tproxy@lists.balabit.hu"><tproxy@lists.balabit.hu></a><br> \
Subject: Re: [tproxy] Squid with TProxy Support<br> <div style="color: rgb(0, 0, 0); \
background-color: rgb(255, 255, 255); font-family: arial, helvetica,
sans-serif; font-size: 10pt;">
<div style="font-family: arial, helvetica, sans-serif;
font-size: 10pt;"><span>Thanks a lot for your reply
Eliezer!</span></div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 13px; background-color: transparent;
font-style: normal;"><span><br>
</span></div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 13px; background-color: transparent;
font-style: normal;"><span>I have another question
here regarding the following iptables rules, which
are needed to get TPROXY to work:</span></div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 13px; background-color: transparent;
font-style: normal;"><span><br>
</span></div>
<div style="background-color:transparent;"><font
size="2">iptables -t mangle -N DIVERT</font></div>
<div style="background-color:transparent;"><font
size="2">iptables -t mangle -A DIVERT -j MARK
--set-mark 1</font></div>
<div style="background-color:transparent;"><font
size="2">iptables -t mangle -A DIVERT -j ACCEPT</font></div>
<div style="background-color:transparent;"><span
style="font-size:13px;background-color:transparent;">iptables
-t mangle -A PREROUTING -p tcp -m socket -j
DIVERT</span><br>
</div>
<div style="background-color:transparent;"><font
size="2"><span></span></font></div>
<div style="background-color:transparent;"><font
size="2"><br>
</font></div>
<div style="background-color: transparent; font-size:
13px; font-family: arial, helvetica, sans-serif;
font-style: normal;"><font size="2">iptables -t
mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129</font></div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 10pt;"><br>
</div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 13px; background-color: transparent;
font-style: normal;"><span><br>
</span></div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 13px; background-color: transparent;
font-style: normal;"><span><br>
</span></div>
<div style="background-color:transparent;"><span
style="font-family: arial, helvetica, sans-serif;
font-size: 13px; font-style: normal;"> What is "-m
socket" used for? Man page of iptables says that
"-m socket" </span><span
style="background-color:transparent;"><font
size="2">matches if an open socket can be found
by doing a socket lookup on </font></span><span
style="font-size:13px;background-color:transparent;">the packet. I think
the following rule is intended for reply packets
coming from web servers to squid (with the spoofed
IP address), am I right? If not, please correct
me:</span></div>
<div style="background-color: transparent; font-size:
13px; font-family: arial, helvetica, sans-serif;
font-style: normal;"><span
style="font-size:13px;background-color:transparent;">iptables
-t mangle -A PREROUTING -p tcp -m socket -j
DIVERT<br>
</span></div>
<div style="background-color: transparent; font-size:
13px; font-family: arial, helvetica, sans-serif;
font-style: normal;"><span
style="font-size:13px;background-color:transparent;"><br>
</span></div>
<div style="background-color: transparent; font-size:
13px; font-family: arial, helvetica, sans-serif;
font-style: normal;"><span
style="font-size:13px;background-color:transparent;">Best
regards,</span></div>
<div style="background-color: transparent; font-size:
13px; font-family: arial, helvetica, sans-serif;
font-style: normal;"><span style="font-size:13px;
background-color:transparent;">Firas</span></div>
<div><br>
</div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 10pt;"><br>
</div>
<div style="font-family: arial, helvetica, sans-serif;
font-size: 10pt;">
<div style="font-family: 'times new roman', 'new
york', times, serif; font-size: 12pt;">
<div dir="ltr">
<hr size="1"> <font face="Arial" size="2"> <b><span
style="font-weight:bold;">From:</span></b>
Eliezer Croitoru <a class="moz-txt-link-rfc2396E" \
href="mailto:eliezer@ngtech.co.il"><eliezer@ngtech.co.il></a><br>
<b><span style="font-weight:bold;">To:</span></b>
<a class="moz-txt-link-abbreviated" \
href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a> \
<br>
<b><span style="font-weight:bold;">Sent:</span></b>
Monday, July 1, 2013 11:00 PM<br>
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [tproxy] Squid with TProxy Support<br>
</font> </div>
<div><br>
Centos comes with TPROXY so you don't need to
recompile or do anything <br>
more then to bundled kernel from CentOS.<br>
Take a small peek at this tutorial:<br>
<a moz-do-not-send="true" rel="nofollow"
target="_blank"
\
href="http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2">http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2</a><br>
The tutorial have all the working examples that
are needed for tproxy <br>
with squid.<br>
<br>
If you will need more help you can try
squid-users.<br>
<br>
Eliezer<br>
<br>
On 07/01/2013 09:37 PM, Firas Rasmy wrote:<br>
> Hello there!<br>
><br>
> I'm trying to install squid with TPROXY
support. I'm using a Centos 6.4<br>
> (64-bit) with kernel version
2.6.32-358.el6.x86_64 and iptables version<br>
> 4.1.7<br>
><br>
> I've followed the instructions in<br>
> <a moz-do-not-send="true" rel="nofollow"
target="_blank"
\
href="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4
</a>but unfortunately<br>
> connecting to any website from a client
with Chrome browser fails with<br>
> this error:<br>
> Error 324 (<a class="moz-txt-link-freetext" \
href="net::ERR_EMPTY_RESPONSE">net::ERR_EMPTY_RESPONSE</a>): The server closed the \
connection<br> > without sending any data.<br>
><br>
> When trying to telnet squid on port 80, I
get a connection but the<br>
> connection is closed once I hit any key! I
think packets are being<br>
> redirected to squid successfully because if
I stop squid, there would be<br>
> no connections at all. Do you have any idea
of what might be the reason?<br>
><br>
> Another question, I have checked that my
current kernel was already<br>
> built with those options:<br>
> NF_CONNTRACK=m<br>
> NETFILTER_TPROXY=m<br>
> NETFILTER_XT_MATCH_SOCKET=m<br>
> NETFILTER_XT_TARGET_TPROXY=m<br>
><br>
> Do I still have to recompile it with
patches from<br>
> <a moz-do-not-send="true" rel="nofollow"
target="_blank"
href="http://www.rediffmail.com/cgi-bin/red.cgi?account_type=1&red=http%3A%2F%2Fww \
w.balabit.com%2Fdownloads%2Ffiles%2Ftproxy%2F%3F&isImage=0&BlockImage=0&rediffng=0">http://www.balabit.com/downloads/files/tproxy/?</a><br>
> There are no patches available for this
current version. What about<br>
> iptables? Do I need to patch it?<br>
><br>
> My last question is: TPROXY target in the
mangle table is not supposed<br>
> to change anything in the packet header,
how the packets with TPROXY<br>
> target would be redirected to --on-port if
the IP header is untouched?!<br>
><br>
> Thanks a lot for your help!<br>
><br>
> Best regards,<br>
> Firas<br>
><br>
><br>
>
_______________________________________________<br>
> tproxy mailing list<br>
> <a class="moz-txt-link-abbreviated" \
href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a>');"
><a class="moz-txt-link-abbreviated" \
href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a><br> > <a \
moz-do-not-send="true" rel="nofollow" target="_blank"
\
href="https://lists.balabit.hu/mailman/listinfo/tproxy">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>
><br>
<br>
_______________________________________________<br>
tproxy mailing list<br>
<a class="moz-txt-link-abbreviated" \
href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a>');"
><a class="moz-txt-link-abbreviated" \
href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a><br> <a \
moz-do-not-send="true" rel="nofollow" target="_blank"
\
href="https://lists.balabit.hu/mailman/listinfo/tproxy">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>
<br>
<br>
</div>
</div>
</div>
</div>
_______________________________________________<br>
tproxy mailing list<br>
<a class="moz-txt-link-abbreviated" \
href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a><br>
<a class="moz-txt-link-freetext" \
href="https://lists.balabit.hu/mailman/listinfo/tproxy">https://lists.balabit.hu/mailman/listinfo/tproxy</a><br>
<br>
<a moz-do-not-send="true" rel="nofollow" target="_blank"
href="http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?"><img
moz-do-not-send="true"
src="http://sigads.rediff.com/RealMedia/ads/adstream_nx.ads/www.rediffmail.com/signatureline.htm@Middle"></a><br>
<div style="font-family: Arial, Helvetica, sans-serif;
font-size: 14px;">Get your own <span
style="font-size: 12px; font-family: Arial,
Helvetica, sans-serif; background-color: rgb(204, 0,
0); color: rgb(255, 255, 255); padding: 0px \
3px;"><b>FREE</b></span> website and domain with business email solutions, <a
moz-do-not-send="true" rel="nofollow"
target="_blank"
href="http://track.rediff.com/click?url=___http://hosting.rediff.com/rediffmailpro/business-email?sc_cid=sig___&cmp=sig&lnk=sig&nsrv1=host">click
here</a></div>
</div>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
tproxy mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</a> <a \
class="moz-txt-link-freetext" \
href="https://lists.balabit.hu/mailman/listinfo/tproxy">https://lists.balabit.hu/mailman/listinfo/tproxy</a>
</pre>
</blockquote>
<br>
</body>
</html>
_______________________________________________
tproxy mailing list
tproxy@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic