[squid-users] TPROXY and IPv6 issues CentOS 7

James White james at jmwhite.co.uk
Tue Oct 13 18:07:58 UTC 2015

Hi all,

I operate a squid box which has two http_port setups:

http_port 3128
http_port 3129 TPROXY

I have implemented TPROXY to replace my NAT setup on a CentOS 7 Squid
3.3 box. Currently the IPv4 connectivity is working great, the IPv6
connectivity is broken when going through TPROXY. All IPv6 connections
timeout and from tests it appears there is a broken IPv6 setup. Using
test-ipv6.com I get a broken/misconfiguration warning. IPv6
connections handled by the standard 3128 setup work OK, direct IPv6
connections outside of the proxy are also OK, TPROXY IPv6 is not
working properly.

I have looked at several TPROXY resources and cannot see where I have
gone wrong or what might be causing the issue. I am using my DD-WRT
routing with policy routing to pass the traffic to the Squid box which
then uses further policy routing to push the traffic to the TPROXY
binding on port 3129.

DD-WRT firewall/routing rules:


ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV6 -p tcp
--dport 80 -j ACCEPT
ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j
MARK --set-mark $FWMARK
ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT
ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp
--dport 80 -j ACCEPT

ip -f inet6 rule add fwmark $FWMARK table 2
ip -f inet6 route add default via $PROXY_IPV6 dev $CLIENTIFACE table 2

Squid box firewall and routing rules:

ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev eno1 table 100

ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -t mangle -N DIVERT

ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

The following sysctl values are set:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eno1.rp_filter = 0

I have defined specific IPv4 and IPv6 addresses for the Squid traffic
to go over, I had to exclude these with PREROUTING RULES as this broke
connectivity on LAN clients which use the standard http_port setup of
3128. IPv6 connectivity for these clients is OK.

iptables -t mangle -I PREROUTING -p tcp --dport 80 -s 192.168.x.x -j
ip6tables -t mangle -I PREROUTING -p tcp --dport 80 -s
2001:470:xxxx:xx::x -j ACCEPT

I don't know if I need additional values for any ipv6 config value.
Nothing is mentioned in the TPROXY Squid wiki article.

Any ideas on what I could be missing?



More information about the squid-users mailing list