[squid-users] IPv6 and TPROXY

Eliezer Croitoru eliezer at ngtech.co.il
Sun Aug 13 13:48:35 UTC 2017


Hey,

Is there a specific reason for the usage of CentOS 6?
Also, do you need full tproxy featres or just to intercept the traffic?

And Amos:
Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible?
Would the usage of:
http://www.squid-cache.org/Doc/config/tcp_outgoing_address/

override the tproxy function?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: Walter H. [mailto:Walter.H at mathemainzel.info] 
Sent: Saturday, August 12, 2017 22:03
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] IPv6 and TPROXY

Hello Eliezer,

not really,
as I don't understand, which IP squid needs to listen to

in my squid.conf I have this:

# Squid normally listens to port 3128
http_port 127.0.0.1:3128
http_port [::1]:3128
http_port 192.168.1.1:3128
http_port [ipv6prefix::1]:3128
# Transparent Squid listens to port 3129 (IPv4 only)
http_port 192.168.1.1:3129 transparent
http_port [ipv6prefix::1]:3129 tproxy <-- does it need this?
http_port [::1]:3129 tproxy <-- or this?

the transparent proxy with ipv4 works ...

just had to add the following

e.g.
iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80 
-j DNAT --to-destination 192.168.1.1:3129

with IPv6 it is more complicated ...

especially which IP6TABLES rule is meant by Amos question?

"I don't see anywhere in that INPUT list where the TPROXY'd traffic is 
permitted to reach Squid. "

does this mean:

e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I 
need to add

ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302 
--dport 80 -j ACCEPT
?

does this really need this two
ip -6 ...
commands, as I don't know what to add in a file in 
/etc/sysconfig/network-scripts ...

Thanks,
Walter

On 12.08.2017 20:23, Eliezer Croitoru wrote:
> Any progress with this issue?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:walter.h at mathemainzel.info]
> Sent: Thursday, August 10, 2017 09:19
> To: Eliezer Croitoru<eliezer at ngtech.co.il>
> Cc: squid-users at lists.squid-cache.org
> Subject: RE: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer,
>
> it is a CentOS 6 box,
>
> br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6
> prefix
>
> might this be a problem?
>
> the results of "sysctl -a |grep forward|grep v6":
>
> net.ipv6.conf.all.forwarding = 1
> net.ipv6.conf.all.mc_forwarding = 0
> net.ipv6.conf.default.forwarding = 1
> net.ipv6.conf.default.mc_forwarding = 0
> net.ipv6.conf.lo.forwarding = 1
> net.ipv6.conf.lo.mc_forwarding = 0
> net.ipv6.conf.eth0.forwarding = 1
> net.ipv6.conf.eth0.mc_forwarding = 0
> net.ipv6.conf.eth1.forwarding = 1
> net.ipv6.conf.eth1.mc_forwarding = 0
> net.ipv6.conf.wlan0.forwarding = 1
> net.ipv6.conf.wlan0.mc_forwarding = 0
> net.ipv6.conf.br0.forwarding = 1
> net.ipv6.conf.br0.mc_forwarding = 0
> net.ipv6.conf.sit0.forwarding = 1
> net.ipv6.conf.sit0.mc_forwarding = 0
> net.ipv6.conf.sit1.forwarding = 1
> net.ipv6.conf.sit1.mc_forwarding = 0
>
> Greetings,
> Walter
>
> On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:
>> Hey Walter,
>>
>> I have ran basic tests which are not including direct internet access and
>> it seems like squid is intercepting traffic fine on a CentOS 7.
>> Try to use:
>> ip -f inet6 rule add fwmark 1 lookup 100
>> ip -f inet6 route add local default dev lo table 100
>>
>> ip6tables -t mangle -F
>> ip6tables -t mangle -F DIVERT
>> ip6tables -t mangle -X DIVERT
>> ip6tables -t mangle -N DIVERT
>> ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>> ip6tables -t mangle -A DIVERT -j ACCEPT
>>
>> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
>> TPROXY --on-port 3129 --tproxy-mark 0x1/0x1
>>
>> check the output of:
>> sysctl -a |grep forward|grep v6
>>
>> Since some of the setup you describe are "unusual" like "br0" I cannot
>> promise you how things will work and if they should work.
>> On a regular linux machine with regular interfaces it works fine.
>> I do get the basic "access denied" page from squid.
>> If this doesn't show up then I belive it's a routing level issue and maybe
>> sysctl will help to reveal couple things about the subject.
>>
>> All The Bests,
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: eliezer at ngtech.co.il
>>
>>
>>
>> -----Original Message-----
>> From: Walter H. [mailto:Walter.H at mathemainzel.info]
>> Sent: Thursday, August 10, 2017 06:49
>> To: Eliezer Croitoru<eliezer at ngtech.co.il>
>> Cc: squid-users at lists.squid-cache.org
>> Subject: Re: [squid-users] IPv6 and TPROXY
>>
>> Hello Eliezer
>>
>> ip -6 rule is this
>>
>> 0:      from all lookup local
>> 32765:  from all fwmark 0x1 lookup 100
>> 32766:  from all lookup main
>>
>> the two commands where
>>
>> ip -f inet6 rule add fwmark 1 lookup 100
>> ip -f inet6 route add local default dev br0 table 100
>>
>> ip6tables-save is this
>> <BEGIN>
>>
>> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
>> *filter
>> :INPUT DROP [0:0]
>> :FORWARD DROP [0:0]
>> :OUTPUT DROP [0:0]
>> -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm
>> --to 84 -m tcp --dport 80 -j DROP
>> -A INPUT -m rt --rt-type 0 -j DROP
>> -A INPUT -m state --state INVALID -j DROP
>> -A INPUT -s fe80::/10 -j ACCEPT
>> -A INPUT -d ff00::/8 -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
>> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m
>> state --state NEW -j ACCEPT
>> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m
>> state --state NEW -j ACCEPT
>> -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -m rt --rt-type 0 -j DROP
>> -A FORWARD -m state --state INVALID -j DROP
>> -A FORWARD -i br0 -o br0 -j ACCEPT
>> -A FORWARD -i br0 -o sit1 -j ACCEPT
>> -A OUTPUT -m rt --rt-type 0 -j DROP
>> -A OUTPUT -m state --state INVALID -j DROP
>> -A OUTPUT -s fe80::/10 -j ACCEPT
>> -A OUTPUT -d ff00::/8 -j ACCEPT
>> -A OUTPUT -o lo -j ACCEPT
>> -A OUTPUT -o br0 -j ACCEPT
>> -A OUTPUT -o sit1 -j ACCEPT
>> COMMIT
>> # Completed on Thu Aug 10 05:26:04 2017
>> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
>> *mangle
>> :PREROUTING ACCEPT [43:6775]
>> :INPUT ACCEPT [104:10608]
>> :FORWARD ACCEPT [12:2567]
>> :OUTPUT ACCEPT [182:28756]
>> :POSTROUTING ACCEPT [194:31323]
>> :DIVERT - [0:0]
>> -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>> -A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport
>> 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark
>> 0x1/0x1
>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>> -A DIVERT -j ACCEPT
>> COMMIT
>> # Completed on Thu Aug 10 05:26:04 2017
>>
>> <END>
>>
>> Thanks,
>> Walter
>>
>> On 10.08.2017 02:18, Eliezer Croitoru wrote:
>>> Can you attach or paste\gist the output of:
>>> iptables-save
>>> ip6tables-save
>>> ip rule
>>> ??
>>> It will help to also see the tables which you use in conjunction to the
>>> "ip rule" based on the mark.
>>>
>>> Eliezer
>>>
>>> ----
>>> Eliezer Croitoru
>>> Linux System Administrator
>>> Mobile: +972-5-28704261
>>> Email: eliezer at ngtech.co.il
>>>
>>>
>>> -----Original Message-----
>>> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
>>> Behalf Of Walter H.
>>> Sent: Tuesday, August 8, 2017 17:15
>>> To: squid-users at lists.squid-cache.org
>>> Subject: [squid-users] IPv6 and TPROXY
>>>
>>> Hello,
>>>
>>> I did at the ip6tables like this:
>>> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>>>
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>
>>> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>>>
>>> iptables -t mangle -A PREROUTING -i br0 -p tcp -d
>>> 2a02:1788:2fd::b2ff:5302
>>> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port
>>> 3129
>>>
>>> in squid.conf I added
>>>
>>> http_port  ipv6lan:3129 tproxy
>>>
>>> I added the following also this rule to ip6tables
>>>
>>> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
>>> -m state --state NEW -j ACCEPT
>>>
>>> when I have tcpdump run, I get this:
>>>
>>> 16:08:58.452533 IP6 ipv6host.37656>   2a02:1788:2fd::b2ff:5302.80: Flags
>>> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val
>>> 1875817945
>>> ecr 0,nop,wscale 5], length 0
>>> 16:08:58.452794 IP6 ipv6lan>   ipv6host: ICMP6, destination unreachable,
>>> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>>>
>>> when doing:
>>>
>>> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
>>> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>>>
>>> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>>>
>>> what am I missing?
>>>
>>> Thanks
>>> Walter





More information about the squid-users mailing list