[squid-users] IPv6 and TPROXY
Eliezer Croitoru
eliezer at ngtech.co.il
Sat Aug 12 18:23:16 UTC 2017
Any progress with this issue?
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: Walter H. [mailto:walter.h at mathemainzel.info]
Sent: Thursday, August 10, 2017 09:19
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: RE: [squid-users] IPv6 and TPROXY
Hello Eliezer,
it is a CentOS 6 box,
br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6
prefix
might this be a problem?
the results of "sysctl -a |grep forward|grep v6":
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan0.mc_forwarding = 0
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.br0.mc_forwarding = 0
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sit0.mc_forwarding = 0
net.ipv6.conf.sit1.forwarding = 1
net.ipv6.conf.sit1.mc_forwarding = 0
Greetings,
Walter
On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:
> Hey Walter,
>
> I have ran basic tests which are not including direct internet access and
> it seems like squid is intercepting traffic fine on a CentOS 7.
> Try to use:
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev lo table 100
>
> ip6tables -t mangle -F
> ip6tables -t mangle -F DIVERT
> ip6tables -t mangle -X DIVERT
> ip6tables -t mangle -N DIVERT
> ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> ip6tables -t mangle -A DIVERT -j ACCEPT
>
> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
> TPROXY --on-port 3129 --tproxy-mark 0x1/0x1
>
> check the output of:
> sysctl -a |grep forward|grep v6
>
> Since some of the setup you describe are "unusual" like "br0" I cannot
> promise you how things will work and if they should work.
> On a regular linux machine with regular interfaces it works fine.
> I do get the basic "access denied" page from squid.
> If this doesn't show up then I belive it's a routing level issue and maybe
> sysctl will help to reveal couple things about the subject.
>
> All The Bests,
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:Walter.H at mathemainzel.info]
> Sent: Thursday, August 10, 2017 06:49
> To: Eliezer Croitoru <eliezer at ngtech.co.il>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer
>
> ip -6 rule is this
>
> 0: from all lookup local
> 32765: from all fwmark 0x1 lookup 100
> 32766: from all lookup main
>
> the two commands where
>
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev br0 table 100
>
> ip6tables-save is this
> <BEGIN>
>
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm
> --to 84 -m tcp --dport 80 -j DROP
> -A INPUT -m rt --rt-type 0 -j DROP
> -A INPUT -m state --state INVALID -j DROP
> -A INPUT -s fe80::/10 -j ACCEPT
> -A INPUT -d ff00::/8 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m
> state --state NEW -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m
> state --state NEW -j ACCEPT
> -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -m rt --rt-type 0 -j DROP
> -A FORWARD -m state --state INVALID -j DROP
> -A FORWARD -i br0 -o br0 -j ACCEPT
> -A FORWARD -i br0 -o sit1 -j ACCEPT
> -A OUTPUT -m rt --rt-type 0 -j DROP
> -A OUTPUT -m state --state INVALID -j DROP
> -A OUTPUT -s fe80::/10 -j ACCEPT
> -A OUTPUT -d ff00::/8 -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o br0 -j ACCEPT
> -A OUTPUT -o sit1 -j ACCEPT
> COMMIT
> # Completed on Thu Aug 10 05:26:04 2017
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *mangle
> :PREROUTING ACCEPT [43:6775]
> :INPUT ACCEPT [104:10608]
> :FORWARD ACCEPT [12:2567]
> :OUTPUT ACCEPT [182:28756]
> :POSTROUTING ACCEPT [194:31323]
> :DIVERT - [0:0]
> -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
> -A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport
> 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark
> 0x1/0x1
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j ACCEPT
> COMMIT
> # Completed on Thu Aug 10 05:26:04 2017
>
> <END>
>
> Thanks,
> Walter
>
> On 10.08.2017 02:18, Eliezer Croitoru wrote:
>> Can you attach or paste\gist the output of:
>> iptables-save
>> ip6tables-save
>> ip rule
>> ??
>> It will help to also see the tables which you use in conjunction to the
>> "ip rule" based on the mark.
>>
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: eliezer at ngtech.co.il
>>
>>
>> -----Original Message-----
>> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
>> Behalf Of Walter H.
>> Sent: Tuesday, August 8, 2017 17:15
>> To: squid-users at lists.squid-cache.org
>> Subject: [squid-users] IPv6 and TPROXY
>>
>> Hello,
>>
>> I did at the ip6tables like this:
>> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>>
>> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>>
>> iptables -t mangle -A PREROUTING -i br0 -p tcp -d
>> 2a02:1788:2fd::b2ff:5302
>> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port
>> 3129
>>
>> in squid.conf I added
>>
>> http_port ipv6lan:3129 tproxy
>>
>> I added the following also this rule to ip6tables
>>
>> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
>> -m state --state NEW -j ACCEPT
>>
>> when I have tcpdump run, I get this:
>>
>> 16:08:58.452533 IP6 ipv6host.37656> 2a02:1788:2fd::b2ff:5302.80: Flags
>> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val
>> 1875817945
>> ecr 0,nop,wscale 5], length 0
>> 16:08:58.452794 IP6 ipv6lan> ipv6host: ICMP6, destination unreachable,
>> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>>
>> when doing:
>>
>> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
>> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>>
>> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>>
>> what am I missing?
>>
>> Thanks
>> Walter
>
>
>
>
More information about the squid-users
mailing list