[squid-users] IPv6 and TPROXY
Eliezer Croitoru
eliezer at ngtech.co.il
Thu Aug 10 05:10:46 UTC 2017
Hey Walter,
I have ran basic tests which are not including direct internet access and it seems like squid is intercepting traffic fine on a CentOS 7.
Try to use:
ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev lo table 100
ip6tables -t mangle -F
ip6tables -t mangle -F DIVERT
ip6tables -t mangle -X DIVERT
ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --tproxy-mark 0x1/0x1
check the output of:
sysctl -a |grep forward|grep v6
Since some of the setup you describe are "unusual" like "br0" I cannot promise you how things will work and if they should work.
On a regular linux machine with regular interfaces it works fine.
I do get the basic "access denied" page from squid.
If this doesn't show up then I belive it's a routing level issue and maybe sysctl will help to reveal couple things about the subject.
All The Bests,
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: Walter H. [mailto:Walter.H at mathemainzel.info]
Sent: Thursday, August 10, 2017 06:49
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] IPv6 and TPROXY
Hello Eliezer
ip -6 rule is this
0: from all lookup local
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
the two commands where
ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev br0 table 100
ip6tables-save is this
<BEGIN>
# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to 84 -m tcp --dport 80 -j DROP
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT
-A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o sit1 -j ACCEPT
-A OUTPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o sit1 -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017
# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*mangle
:PREROUTING ACCEPT [43:6775]
:INPUT ACCEPT [104:10608]
:FORWARD ACCEPT [12:2567]
:OUTPUT ACCEPT [182:28756]
:POSTROUTING ACCEPT [194:31323]
:DIVERT - [0:0]
-A PREROUTING -i br0 -p tcp -m socket -j DIVERT
-A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017
<END>
Thanks,
Walter
On 10.08.2017 02:18, Eliezer Croitoru wrote:
> Can you attach or paste\gist the output of:
> iptables-save
> ip6tables-save
> ip rule
> ??
> It will help to also see the tables which you use in conjunction to the "ip rule" based on the mark.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Walter H.
> Sent: Tuesday, August 8, 2017 17:15
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] IPv6 and TPROXY
>
> Hello,
>
> I did at the ip6tables like this:
> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port 3129
>
> in squid.conf I added
>
> http_port ipv6lan:3129 tproxy
>
> I added the following also this rule to ip6tables
>
> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
> -m state --state NEW -j ACCEPT
>
> when I have tcpdump run, I get this:
>
> 16:08:58.452533 IP6 ipv6host.37656> 2a02:1788:2fd::b2ff:5302.80: Flags
> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val 1875817945
> ecr 0,nop,wscale 5], length 0
> 16:08:58.452794 IP6 ipv6lan> ipv6host: ICMP6, destination unreachable,
> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>
> when doing:
>
> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>
> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>
> what am I missing?
>
> Thanks
> Walter
More information about the squid-users
mailing list