[squid-users] TPROXY and IPv6 issues CentOS 7
james at jmwhite.co.uk
Fri Oct 23 20:02:44 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
I'm literally stumped at this point. The fact TPROXY is working for
IPv4 indicates that I have the necessary setup in place for TPROXY to
at least work, but IPv6 not working is a mystery. Like I said the
Squid box is fully IPv6 capable and clients connecting via 3128 have a
working IPv6 setup.
I maybe should of mentioned that the server Squid is running on is a
HP Microserver Gen8 it does have multiple NICs, but only eno1 is in
use, eno2 is disabled. I'm pretty sure there is some form of routing
issue at the Squid box, but I've read every bit of information about
TPROXY with IPv6 and I cannot see where I have done something wrong.
Reading many articles on the subject they all hint at the same routing
and ip6tables rules that I am using currently.
I've tried using the loopback interface and eno1 (main LAN interface)
and they both yield the same results for IPv6 connectivity.
I hope someone can chime in with some additional
troubleshooting/debugging steps, because I literally have no idea now!
On 17/10/2015 10:32, James White wrote:
> Hi Amos,
> Thanks for your reply.
> I've tried setting the rp_filter values to 1 and 2 and there is no
> difference in behaviour.
> Traffic isn't being tagged on dport 3128 directly. What I meant was
> I needed to exclude the configured outgoing IPv6 address at the
> DD-WRT router level with a PREROUTING rule, otherwise there was a
> loop and traffic would be messed up.
> Enabling the via header temporarily, I checked to see what was
> being passed. According to my tests, the IPv6 address of my proxy
> was the value, so the traffic is making it to the Squid box, but no
> IPv6 requests are logged in the access.log from any TPROXY clients
> and all IPv6 requests from TPROXY clients are timing out e.g.
> I'm pretty confident the problem lies on my Squid server at this
> point, I can't see any issues with the policy routing on my DD-WRT
> route r.
> MTU is configured correctly and the Squid box can ping and
> traceroute IPv6 addresses.
> I'm really at a loss of what the issue is. I've read the TPROXY
> wiki article many times and there is nothing obvious to me that
> identifies my issue. I've looked for other resources for TPROXY and
> IPv6 and can't find anything else either.
> On 14/10/2015 04:20, Amos Jeffries wrote:
>> On 14/10/2015 7:07 a.m., James White wrote:
>>> Hi all,
>>> I operate a squid box which has two http_port setups:
>>> http_port 3128 http_port 3129 TPROXY
>>> I have implemented TPROXY to replace my NAT setup on a CentOS 7
>>> Squid 3.3 box. Currently the IPv4 connectivity is working
>>> great, the IPv6 connectivity is broken when going through
>>> TPROXY. All IPv6 connections timeout and from tests it appears
>>> there is a broken IPv6 setup. Using test-ipv6.com I get a
>>> broken/misconfiguration warning. IPv6 connections handled by
>>> the standard 3128 setup work OK, direct IPv6 connections
>>> outside of the proxy are also OK, TPROXY IPv6 is not working
>>> I have looked at several TPROXY resources and cannot see where
>>> I have gone wrong or what might be causing the issue. I am
>>> using my DD-WRT routing with policy routing to pass the traffic
>>> to the Squid box which then uses further policy routing to push
>>> the traffic to the TPROXY binding on port 3129.
>>> DD-WRT firewall/routing rules:
>>> PROXY_IPV6="2001:470:xxxx:xx::x" CLIENTIFACE="br0" FWMARK=3
>>> ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s
>>> $PROXY_IPV6 -p tcp --dport 80 -j ACCEPT ip6tables -t mangle -A
>>> PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark
>>> $FWMARK ip6tables -t mangle -A PREROUTING -m mark --mark
>>> $FWMARK -j ACCEPT ip6tables -t filter -A FORWARD -i
>>> $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT
>>> ip -f inet6 rule add fwmark $FWMARK table 2 ip -f inet6 route
>>> add default via $PROXY_IPV6 dev $CLIENTIFACE table 2
>>> Squid box firewall and routing rules:
>>> ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add
>>> local default dev eno1 table 100
>>> ip6tables -t mangle -F ip6tables -t mangle -X ip6tables -t
>>> mangle -N DIVERT
>>> ip6tables -t mangle -A DIVERT -j MARK --set-mark 1 ip6tables -t
>>> mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING
>>> -p tcp -m socket -j DIVERT ip6tables -t mangle -A PREROUTING -p
>>> tcp -m tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port
>>> The following sysctl values are set:
>>> net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0
>>> net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eno1.rp_filter =
>> Double-check the meaning of 0 in those rules. The rp_filter value
>> meanings changed just prior to 3.x kernels, and no longer do
>> what most online tutorials say.
>>> I have defined specific IPv4 and IPv6 addresses for the Squid
>>> traffic to go over, I had to exclude these with PREROUTING
>>> RULES as this broke connectivity on LAN clients which use the
>>> standard http_port setup of 3128. IPv6 connectivity for these
>>> clients is OK.
>> How is traffic to --dport 3128 matching "-p tcp -m tcp --dport
>> 80" ?
>> It seems to me that would be part of yoru problem. Unless you
>> mean that these rules had to go on the router. In which case, yes
>> you do need to prevent Squid outbound traffic being looped back
>> to it a second time.
>>> iptables -t mangle -I PREROUTING -p tcp --dport 80 -s
>>> 192.168.x.x -j ACCEPT ip6tables -t mangle -I PREROUTING -p tcp
>>> --dport 80 -s 2001:470:xxxx:xx::x -j ACCEPT
>>> I don't know if I need additional values for any ipv6 config
>>> value. Nothing is mentioned in the TPROXY Squid wiki article.
>> Given the likelihood of so called "privacy addressing" in IPv6
>> you may need to make the v6 bypasses use /64 subnets instead of
>> single IP's
>>> Any ideas on what I could be missing?
>> When debugging make sure "via on" directive exists in squid.conf.
>> That will highlight looping errors that you may have from
>> misconfiguration TPROXY.
>> Also, make sure that ICMP and path-MTU etc are working.
>> Particularly from the Squid machine to the Internet.
>> If you haven't already been through the list and
>> double/triple-checked, the troubleshooting section of
>> <http://wiki.squid-cache.org/Features/Tproxy4> may have the
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the squid-users