[squid-users] IPv6 and TPROXY

Eliezer Croitoru eliezer at ngtech.co.il
Thu Aug 10 07:03:44 UTC 2017 

Try to change the ip rule instead of br0 to lo and see if it changes anything.
Also remove any iptables rules and try to access a public ipv6 only address.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: Walter H. [mailto:walter.h at mathemainzel.info] 
Sent: Thursday, August 10, 2017 09:19
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: RE: [squid-users] IPv6 and TPROXY

Hello Eliezer,

it is a CentOS 6 box,

br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6 prefix

might this be a problem?

the results of "sysctl -a |grep forward|grep v6":

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan0.mc_forwarding = 0
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.br0.mc_forwarding = 0
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sit0.mc_forwarding = 0
net.ipv6.conf.sit1.forwarding = 1
net.ipv6.conf.sit1.mc_forwarding = 0

Greetings,
Walter

On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:
> Hey Walter,
>
> I have ran basic tests which are not including direct internet access 
> and it seems like squid is intercepting traffic fine on a CentOS 7.
> Try to use:
> ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local 
> default dev lo table 100
>
> ip6tables -t mangle -F
> ip6tables -t mangle -F DIVERT
> ip6tables -t mangle -X DIVERT
> ip6tables -t mangle -N DIVERT
> ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff 
> ip6tables -t mangle -A DIVERT -j ACCEPT
>
> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT ip6tables 
> -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j TPROXY 
> --on-port 3129 --tproxy-mark 0x1/0x1
>
> check the output of:
> sysctl -a |grep forward|grep v6
>
> Since some of the setup you describe are "unusual" like "br0" I cannot 
> promise you how things will work and if they should work.
> On a regular linux machine with regular interfaces it works fine.
> I do get the basic "access denied" page from squid.
> If this doesn't show up then I belive it's a routing level issue and 
> maybe sysctl will help to reveal couple things about the subject.
>
> All The Bests,
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:Walter.H at mathemainzel.info]
> Sent: Thursday, August 10, 2017 06:49
> To: Eliezer Croitoru <eliezer at ngtech.co.il>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer
>
> ip -6 rule is this
>
> 0:      from all lookup local
> 32765:  from all fwmark 0x1 lookup 100
> 32766:  from all lookup main
>
> the two commands where
>
> ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local 
> default dev br0 table 100
>
> ip6tables-save is this
> <BEGIN>
>
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017 
> *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A 
> INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT 
> -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to 
> 84 -m tcp --dport 80 -j DROP -A INPUT -m rt --rt-type 0 -j DROP -A 
> INPUT -m state --state INVALID -j DROP -A INPUT -s fe80::/10 -j ACCEPT 
> -A INPUT -d ff00::/8 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i 
> br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 
> 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT -A INPUT -d 
> 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state 
> --state NEW -j ACCEPT -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p 
> tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT -A FORWARD -i 
> sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD 
> -m rt --rt-type 0 -j DROP -A FORWARD -m state --state INVALID -j DROP 
> -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -i br0 -o sit1 -j ACCEPT 
> -A OUTPUT -m rt --rt-type 0 -j DROP -A OUTPUT -m state --state INVALID 
> -j DROP -A OUTPUT -s fe80::/10 -j ACCEPT -A OUTPUT -d ff00::/8 -j 
> ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -A OUTPUT 
> -o sit1 -j ACCEPT COMMIT # Completed on Thu Aug 10 05:26:04 2017 # 
> Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017 *mangle 
> :PREROUTING ACCEPT [43:6775] :INPUT ACCEPT [104:10608] :FORWARD ACCEPT 
> [12:2567] :OUTPUT ACCEPT [182:28756] :POSTROUTING ACCEPT [194:31323] 
> :DIVERT - [0:0] -A PREROUTING -i br0 -p tcp -m socket -j DIVERT -A 
> PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp 
> --dport
> 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark
> 0x1/0x1
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff -A DIVERT -j ACCEPT 
> COMMIT # Completed on Thu Aug 10 05:26:04 2017
>
> <END>
>
> Thanks,
> Walter
>
> On 10.08.2017 02:18, Eliezer Croitoru wrote:
>> Can you attach or paste\gist the output of:
>> iptables-save
>> ip6tables-save
>> ip rule
>> ??
>> It will help to also see the tables which you use in conjunction to 
>> the "ip rule" based on the mark.
>>
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: eliezer at ngtech.co.il
>>
>>
>> -----Original Message-----
>> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] 
>> On Behalf Of Walter H.
>> Sent: Tuesday, August 8, 2017 17:15
>> To: squid-users at lists.squid-cache.org
>> Subject: [squid-users] IPv6 and TPROXY
>>
>> Hello,
>>
>> I did at the ip6tables like this:
>> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_de
>> vice
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle 
>> -A DIVERT -j ACCEPT
>>
>> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>>
>> iptables -t mangle -A PREROUTING -i br0 -p tcp -d
>> 2a02:1788:2fd::b2ff:5302
>> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port
>> 3129
>>
>> in squid.conf I added
>>
>> http_port  ipv6lan:3129 tproxy
>>
>> I added the following also this rule to ip6tables
>>
>> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 
>> 3129 -m state --state NEW -j ACCEPT
>>
>> when I have tcpdump run, I get this:
>>
>> 16:08:58.452533 IP6 ipv6host.37656>  2a02:1788:2fd::b2ff:5302.80: 
>> Flags [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val
>> 1875817945
>> ecr 0,nop,wscale 5], length 0
>> 16:08:58.452794 IP6 ipv6lan>  ipv6host: ICMP6, destination 
>> unreachable, unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, 
>> length 88
>>
>> when doing:
>>
>> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy 
>> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>>
>> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>>
>> what am I missing?
>>
>> Thanks
>> Walter
>
>
>
>

More information about the squid-users mailing list