[squid-users] TPROXY and IPv6 issues CentOS 7

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 14 03:20:06 UTC 2015

On 14/10/2015 7:07 a.m., James White wrote:
> Hi all,
> I operate a squid box which has two http_port setups:
> http_port 3128
> http_port 3129 TPROXY
> I have implemented TPROXY to replace my NAT setup on a CentOS 7 Squid
> 3.3 box. Currently the IPv4 connectivity is working great, the IPv6
> connectivity is broken when going through TPROXY. All IPv6 connections
> timeout and from tests it appears there is a broken IPv6 setup. Using
> test-ipv6.com I get a broken/misconfiguration warning. IPv6
> connections handled by the standard 3128 setup work OK, direct IPv6
> connections outside of the proxy are also OK, TPROXY IPv6 is not
> working properly.
> I have looked at several TPROXY resources and cannot see where I have
> gone wrong or what might be causing the issue. I am using my DD-WRT
> routing with policy routing to pass the traffic to the Squid box which
> then uses further policy routing to push the traffic to the TPROXY
> binding on port 3129.
> DD-WRT firewall/routing rules:
> PROXY_IPV6="2001:470:xxxx:xx::x"
> ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV6 -p tcp
> --dport 80 -j ACCEPT
> ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j
> MARK --set-mark $FWMARK
> ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT
> ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp
> --dport 80 -j ACCEPT
> ip -f inet6 rule add fwmark $FWMARK table 2
> ip -f inet6 route add default via $PROXY_IPV6 dev $CLIENTIFACE table 2
> Squid box firewall and routing rules:
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev eno1 table 100
> ip6tables -t mangle -F
> ip6tables -t mangle -X
> ip6tables -t mangle -N DIVERT
> ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
> ip6tables -t mangle -A DIVERT -j ACCEPT
> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> ip6tables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
> The following sysctl values are set:
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.all.rp_filter = 0
> net.ipv4.conf.eno1.rp_filter = 0

Double-check the meaning of 0 in those rules. The rp_filter value
meanings changed just prior to 3.x kernels, and no longer do what most
online tutorials say.

> I have defined specific IPv4 and IPv6 addresses for the Squid traffic
> to go over, I had to exclude these with PREROUTING RULES as this broke
> connectivity on LAN clients which use the standard http_port setup of
> 3128. IPv6 connectivity for these clients is OK.


How is traffic to --dport 3128 matching "-p tcp -m tcp --dport 80" ?

It seems to me that would be part of yoru problem. Unless you mean that
these rules had to go on the router. In which case, yes you do need to
prevent Squid outbound traffic being looped back to it a second time.

> iptables -t mangle -I PREROUTING -p tcp --dport 80 -s 192.168.x.x -j
> ip6tables -t mangle -I PREROUTING -p tcp --dport 80 -s
> 2001:470:xxxx:xx::x -j ACCEPT
> I don't know if I need additional values for any ipv6 config value.
> Nothing is mentioned in the TPROXY Squid wiki article.

Given the likelihood of so called "privacy addressing" in IPv6 you may
need to make the v6 bypasses use /64 subnets instead of single IP's

> Any ideas on what I could be missing?

When debugging make sure "via on" directive exists in squid.conf. That
will highlight looping errors that you may have from misconfiguration

Also, make sure that ICMP and path-MTU etc are working. Particularly
from the Squid machine to the Internet.

If you haven't already been through the list and double/triple-checked,
the troubleshooting section of
<http://wiki.squid-cache.org/Features/Tproxy4> may have the answer.


More information about the squid-users mailing list