[squid-users] TPROXY and IPv6 issues CentOS 7

James White james at jmwhite.co.uk
Sat Oct 17 09:32:33 UTC 2015

Hash: SHA1

Hi Amos,

Thanks for your reply.

I've tried setting the rp_filter values to 1 and 2 and there is no
difference in behaviour.

Traffic isn't being tagged on dport 3128 directly. What I meant was I
needed to exclude the configured outgoing IPv6 address at the DD-WRT
router level with a PREROUTING rule, otherwise there was a loop and
traffic would be messed up.

Enabling the via header temporarily, I checked to see what was being
passed. According to my tests, the IPv6 address of my proxy was the
value, so the traffic is making it to the Squid box, but no IPv6
requests are logged in the access.log from any TPROXY clients and all
IPv6 requests from TPROXY clients are timing out e.g. ipv6.google.com

I'm pretty confident the problem lies on my Squid server at this
point, I can't see any issues with the policy routing on my DD-WRT route

MTU is configured correctly and the Squid box can ping and traceroute
IPv6 addresses.

I'm really at a loss of what the issue is. I've read the TPROXY wiki
article many times and there is nothing obvious to me that identifies
my issue. I've looked for other resources for TPROXY and IPv6 and
can't find anything else either.



On 14/10/2015 04:20, Amos Jeffries wrote:
> On 14/10/2015 7:07 a.m., James White wrote:
>> Hi all,
>> I operate a squid box which has two http_port setups:
>> http_port 3128 http_port 3129 TPROXY
>> I have implemented TPROXY to replace my NAT setup on a CentOS 7 
>> Squid 3.3 box. Currently the IPv4 connectivity is working great, 
>> the IPv6 connectivity is broken when going through TPROXY. All 
>> IPv6 connections timeout and from tests it appears there is a 
>> broken IPv6 setup. Using test-ipv6.com I get a 
>> broken/misconfiguration warning. IPv6 connections handled by the 
>> standard 3128 setup work OK, direct IPv6 connections outside of 
>> the proxy are also OK, TPROXY IPv6 is not working properly.
>> I have looked at several TPROXY resources and cannot see where I 
>> have gone wrong or what might be causing the issue. I am using
>> my DD-WRT routing with policy routing to pass the traffic to the 
>> Squid box which then uses further policy routing to push the 
>> traffic to the TPROXY binding on port 3129.
>> DD-WRT firewall/routing rules:
>> PROXY_IPV6="2001:470:xxxx:xx::x" CLIENTIFACE="br0" FWMARK=3
>> ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV6 
>> -p tcp --dport 80 -j ACCEPT ip6tables -t mangle -A PREROUTING -i 
>> $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark $FWMARK 
>> ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j 
>> ACCEPT ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o 
>> $CLIENTIFACE -p tcp --dport 80 -j ACCEPT
>> ip -f inet6 rule add fwmark $FWMARK table 2 ip -f inet6 route
>> add default via $PROXY_IPV6 dev $CLIENTIFACE table 2
>> Squid box firewall and routing rules:
>> ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add 
>> local default dev eno1 table 100
>> ip6tables -t mangle -F ip6tables -t mangle -X ip6tables -t
>> mangle -N DIVERT
>> ip6tables -t mangle -A DIVERT -j MARK --set-mark 1 ip6tables -t 
>> mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p 
>> tcp -m socket -j DIVERT ip6tables -t mangle -A PREROUTING -p tcp 
>> -m tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>> The following sysctl values are set:
>> net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 
>> net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eno1.rp_filter = 0
> Double-check the meaning of 0 in those rules. The rp_filter value 
> meanings changed just prior to 3.x kernels, and no longer do what 
> most online tutorials say.
>> I have defined specific IPv4 and IPv6 addresses for the Squid 
>> traffic to go over, I had to exclude these with PREROUTING RULES 
>> as this broke connectivity on LAN clients which use the standard 
>> http_port setup of 3128. IPv6 connectivity for these clients is 
>> OK.
> Pause.
> How is traffic to --dport 3128 matching "-p tcp -m tcp --dport 80" 
> ?
> It seems to me that would be part of yoru problem. Unless you mean 
> that these rules had to go on the router. In which case, yes you
> do need to prevent Squid outbound traffic being looped back to it
> a second time.
>> iptables -t mangle -I PREROUTING -p tcp --dport 80 -s
>> 192.168.x.x -j ACCEPT ip6tables -t mangle -I PREROUTING -p tcp
>> --dport 80 -s 2001:470:xxxx:xx::x -j ACCEPT
>> I don't know if I need additional values for any ipv6 config 
>> value. Nothing is mentioned in the TPROXY Squid wiki article.
> Given the likelihood of so called "privacy addressing" in IPv6 you 
> may need to make the v6 bypasses use /64 subnets instead of single 
> IP's
>> Any ideas on what I could be missing?
> When debugging make sure "via on" directive exists in squid.conf. 
> That will highlight looping errors that you may have from 
> misconfiguration TPROXY.
> Also, make sure that ICMP and path-MTU etc are working. 
> Particularly from the Squid machine to the Internet.
> If you haven't already been through the list and 
> double/triple-checked, the troubleshooting section of 
> <http://wiki.squid-cache.org/Features/Tproxy4> may have the 
> answer.
> Amos
> _______________________________________________ squid-users
> mailing list squid-users at lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
Version: GnuPG v1.4.13 (MingW32)


More information about the squid-users mailing list