[squid-users] TPROXY Error

Eliezer Croitoru ngtech1ltd at gmail.com
Wed Jul 7 21:03:57 UTC 2021 

Hey Ben,

You are missing the critical output of the full command:
Ip route show table 100

What you posted was:
> 5.  the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
##

It's important to see the relevant routing table.
The linux Kernel have couple routing tables which each can contain different routing/forwarding table.
If you want to understand a bit more you might be able to try and lookup for FIB.
( take a peek at: http://linux-ip.net/html/routing-tables.html)

Eliezer

-----Original Message-----
From: Ben Goz <ben.goz87 at gmail.com> 
Sent: Wednesday, July 7, 2021 3:36 PM
To: Eliezer Croitoru <ngtech1ltd at gmail.com>; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] TPROXY Error

By the help of God.


Hi Eliezer,

Thanks for your help.

Please let me know if you need more information.


Regards,

Ben

On 07/07/2021 14:01, Eliezer Croitoru wrote:
> Hey Ben,
>
> I want to try and reset this issue because I am missing some technical
> details.
>
> 1. What Linux Distro and what version are you using?'
Ubuntu 20.04
> 2. the output of 'ip address'
$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
        valid_lft forever preferred_lft forever
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: ens1f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000
     link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
3: ens1f1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000
     link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
4: usb0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group 
default qlen 1000
     link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
5: enx00e04c3600d3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
fq_codel state UP group default qlen 1000
     link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
     inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
        valid_lft forever preferred_lft forever
     inet6 fe80::2e0:4cff:fe36:d3/64 scope link
        valid_lft forever preferred_lft forever
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc 
noqueue state UP group default qlen 1000
     link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
     inet6 fe80::b859:58ff:fe58:232b/64 scope link
        valid_lft forever preferred_lft forever
7: bond0.212 at bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
noqueue state UP group default qlen 1000
     link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
     inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
        valid_lft forever preferred_lft forever
     inet6 fe80::b859:58ff:fe58:232b/64 scope link
        valid_lft forever preferred_lft forever
8: bond0.213 at bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
noqueue state UP group default qlen 1000
     link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
     inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
        valid_lft forever preferred_lft forever
     inet6 fe80::b859:58ff:fe58:232b/64 scope link
        valid_lft forever preferred_lft forever
> 3. the output of 'ip rule'
$ ip rule
0:    from all lookup local
32762:    from all fwmark 0x1 lookup 100
32763:    from all fwmark 0x1 lookup 100
32764:    from all fwmark 0x1 lookup 100
32765:    from all fwmark 0x1 lookup 100
32766:    from all lookup main
32767:    from all lookup default

> 4.  the output of 'ip route show'

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213

> 5.  the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
> 6. the output of 'iptables-save'


$ sudo iptables-save
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*mangle
:PREROUTING ACCEPT [72898710:6084386298]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 80 -j TPROXY --on-port 
15644 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 443 -j TPROXY --on-port 
15645 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A INPUT -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -j ACCEPT
-A POSTROUTING -j ACCEPT
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT
# Completed on Wed Jul  7 12:25:05 2021
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*nat
:PREROUTING ACCEPT [26338415:1392747531]
:INPUT ACCEPT [820462:44161193]
:OUTPUT ACCEPT [1053:92773]
:POSTROUTING ACCEPT [25514534:1348449899]
-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -i eth1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
COMMIT
# Completed on Wed Jul  7 12:25:05 2021
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*filter
:INPUT ACCEPT [5045387:2170630036]
:FORWARD ACCEPT [72544426:6194710400]
:OUTPUT ACCEPT [2471930:252759773]
COMMIT
# Completed on Wed Jul  7 12:25:05 20

> 7. the output of 'nft -nn list ruleset' (if exists on the OS)
Doesn't exists.
> 8. the output of your squid.conf
$ cat squid.conf
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255    # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8        # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10        # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16     # RFC 3927 link-local (directly 
plugged) machines
acl localnet src 172.16.0.0/12        # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16        # RFC 1918 local private network 
(LAN)
acl localnet src fc00::/7           # RFC 4193 local private network range
acl localnet src fe80::/10          # RFC 4291 link-local (directly 
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all

http_access allow all

# Squid normally listens to port 3128
http_port 15643
http_port 15644 tproxy
https_port 15645 ssl-bump tproxy generate-host-certificates=on 
options=ALL dynamic_cert_mem_cache_size=4MB 
cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
dhparams=/usr/local/squid/etc/dhparam.pem
always_direct allow all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLInterceptRegexp_always ssl::server_name_regex -i xxx
acl NoSSLIntercept ssl::server_name  "xxx"
acl NoSSLInterceptRegexp ssl::server_name_regex -i "xxx"
ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump splice NoSSLIntercept
ssl_bump splice NoSSLInterceptRegexp
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s 
/var/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=15 idle=3
#sslproxy_capath /etc/ssl/certs

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

range_offset_limit -1

dns_v4_first on
forwarded_for off
cache deny all
> 9. the output of 'squid -v'
$ ./squid -v
Squid Cache: Version 4.15
Service Name: squid

This binary uses OpenSSL 1.1.1f  31 Mar 2020. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html

configure options:  '--with-openssl' '--enable-ssl-crtd' '--enable-ecap' 
'--enable-linux-netfilter' --enable-ltdl-convenience

> 10. the output of 'uname -a'
uname -a
Linux xxx 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 
x86_64 x86_64 x86_64 GNU/Linux
>
> Once we will have all the above details (reducing/modifying any private
> details) we can try to maybe help you.
>
> Eliezer
>
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of
> Ben Goz
> Sent: Wednesday, June 30, 2021 3:16 PM
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] TPROXY Error
>
>   By the help of God.
>
> Hi All,
> I'm trying to configure squid as a transparent proxy using TPROXY.
> The machine I'm using has 2 NICs, one for input and the other one for
> output traffic.
> The TPROXY iptables rules are configured on the input NIC.
> It looks like iptables TPROXY redirect works but squid prints out the
> following error:
>
> ERROR: NAT/TPROXY lookup failed to locate original IPs on
> local=xxx:443 remote=xxx:49471 FD 14 flags=17
>
> I think I loaded all TPROXY required kernel modules.
>
> The ip forwarding works fine without the iptables rules. and I don't
> see any squid ERROR on getsockopt
>
> Please let me know what I'm missing?
>
> Thanks,
> Ben
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list