[squid-users] TPROXY Error
Ben Goz
ben.goz87 at gmail.com
Thu Jul 8 10:48:15 UTC 2021
By the help of God.
It looks like the point of failure (?)
BTW, My kernel already contains the required tproxy drivers by default
correct?
Regards,
Ben
On 08/07/2021 0:03, Eliezer Croitoru wrote:
> Hey Ben,
>
> You are missing the critical output of the full command:
> Ip route show table 100
>
> What you posted was:
>> 5. the output of 'ip route show table 100'
$ ip route show table 100
local default dev lo scope host
> $ ip route show
> default via 8.13.140.14 dev bond0.212 proto static
> 1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
> 8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
> 8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
> 8.13.144.0/20 via 1.21.213.254 dev bond0.213
> 8.13.148.1 via 1.21.213.254 dev bond0.213
> ##
>
> It's important to see the relevant routing table.
> The linux Kernel have couple routing tables which each can contain different routing/forwarding table.
> If you want to understand a bit more you might be able to try and lookup for FIB.
> ( take a peek at: http://linux-ip.net/html/routing-tables.html)
>
> Eliezer
>
> -----Original Message-----
> From: Ben Goz <ben.goz87 at gmail.com>
> Sent: Wednesday, July 7, 2021 3:36 PM
> To: Eliezer Croitoru <ngtech1ltd at gmail.com>; squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] TPROXY Error
>
> By the help of God.
>
>
> Hi Eliezer,
>
> Thanks for your help.
>
> Please let me know if you need more information.
>
>
> Regards,
>
> Ben
>
> On 07/07/2021 14:01, Eliezer Croitoru wrote:
>> Hey Ben,
>>
>> I want to try and reset this issue because I am missing some technical
>> details.
>>
>> 1. What Linux Distro and what version are you using?'
> Ubuntu 20.04
>> 2. the output of 'ip address'
> $ ip address
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: ens1f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq
> master bond0 state UP group default qlen 1000
> link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
> 3: ens1f1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq
> master bond0 state UP group default qlen 1000
> link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
> 4: usb0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
> link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
> 5: enx00e04c3600d3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> fq_codel state UP group default qlen 1000
> link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
> inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
> valid_lft forever preferred_lft forever
> inet6 fe80::2e0:4cff:fe36:d3/64 scope link
> valid_lft forever preferred_lft forever
> 6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
> inet6 fe80::b859:58ff:fe58:232b/64 scope link
> valid_lft forever preferred_lft forever
> 7: bond0.212 at bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
> inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
> valid_lft forever preferred_lft forever
> inet6 fe80::b859:58ff:fe58:232b/64 scope link
> valid_lft forever preferred_lft forever
> 8: bond0.213 at bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
> inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
> valid_lft forever preferred_lft forever
> inet6 fe80::b859:58ff:fe58:232b/64 scope link
> valid_lft forever preferred_lft forever
>> 3. the output of 'ip rule'
> $ ip rule
> 0: from all lookup local
> 32762: from all fwmark 0x1 lookup 100
> 32763: from all fwmark 0x1 lookup 100
> 32764: from all fwmark 0x1 lookup 100
> 32765: from all fwmark 0x1 lookup 100
> 32766: from all lookup main
> 32767: from all lookup default
>
>> 4. the output of 'ip route show'
> $ ip route show
> default via 8.13.140.14 dev bond0.212 proto static
> 1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
> 8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
> 8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
> 8.13.144.0/20 via 1.21.213.254 dev bond0.213
> 8.13.148.1 via 1.21.213.254 dev bond0.213
>
>> 5. the output of 'ip route show table 100'
> $ ip route show
> default via 8.13.140.14 dev bond0.212 proto static
> 1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
> 8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
> 8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
> 8.13.144.0/20 via 1.21.213.254 dev bond0.213
> 8.13.148.1 via 1.21.213.254 dev bond0.213
>> 6. the output of 'iptables-save'
>
> $ sudo iptables-save
> # Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021
> *mangle
> :PREROUTING ACCEPT [72898710:6084386298]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :DIVERT - [0:0]
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -i bond0.213 -p tcp -m tcp --dport 80 -j TPROXY --on-port
> 15644 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
> -A PREROUTING -i bond0.213 -p tcp -m tcp --dport 443 -j TPROXY --on-port
> 15645 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
> -A INPUT -j ACCEPT
> -A FORWARD -j ACCEPT
> -A OUTPUT -j ACCEPT
> -A POSTROUTING -j ACCEPT
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j ACCEPT
> COMMIT
> # Completed on Wed Jul 7 12:25:05 2021
> # Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021
> *nat
> :PREROUTING ACCEPT [26338415:1392747531]
> :INPUT ACCEPT [820462:44161193]
> :OUTPUT ACCEPT [1053:92773]
> :POSTROUTING ACCEPT [25514534:1348449899]
> -A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
> COMMIT
> # Completed on Wed Jul 7 12:25:05 2021
> # Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021
> *filter
> :INPUT ACCEPT [5045387:2170630036]
> :FORWARD ACCEPT [72544426:6194710400]
> :OUTPUT ACCEPT [2471930:252759773]
> COMMIT
> # Completed on Wed Jul 7 12:25:05 20
>
>> 7. the output of 'nft -nn list ruleset' (if exists on the OS)
> Doesn't exists.
>> 8. the output of your squid.conf
> $ cat squid.conf
> #
> # Recommended minimum configuration:
> #
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
> acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
> acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
> plugged) machines
> acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
> acl localnet src 192.168.0.0/16 # RFC 1918 local private network
> (LAN)
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> #http_access deny all
>
> http_access allow all
>
> # Squid normally listens to port 3128
> http_port 15643
> http_port 15644 tproxy
> https_port 15645 ssl-bump tproxy generate-host-certificates=on
> options=ALL dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> dhparams=/usr/local/squid/etc/dhparam.pem
> always_direct allow all
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLInterceptRegexp_always ssl::server_name_regex -i xxx
> acl NoSSLIntercept ssl::server_name "xxx"
> acl NoSSLInterceptRegexp ssl::server_name_regex -i "xxx"
> ssl_bump splice NoSSLInterceptRegexp_always
> ssl_bump splice NoSSLIntercept
> ssl_bump splice NoSSLInterceptRegexp
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> sslcrtd_children 32 startup=15 idle=3
> #sslproxy_capath /etc/ssl/certs
>
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache/squid
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> range_offset_limit -1
>
> dns_v4_first on
> forwarded_for off
> cache deny all
>> 9. the output of 'squid -v'
> $ ./squid -v
> Squid Cache: Version 4.15
> Service Name: squid
>
> This binary uses OpenSSL 1.1.1f 31 Mar 2020. For legal restrictions on
> distribution see https://www.openssl.org/source/license.html
>
> configure options: '--with-openssl' '--enable-ssl-crtd' '--enable-ecap'
> '--enable-linux-netfilter' --enable-ltdl-convenience
>
>> 10. the output of 'uname -a'
> uname -a
> Linux xxx 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021
> x86_64 x86_64 x86_64 GNU/Linux
>> Once we will have all the above details (reducing/modifying any private
>> details) we can try to maybe help you.
>>
>> Eliezer
>>
>> -----Original Message-----
>> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of
>> Ben Goz
>> Sent: Wednesday, June 30, 2021 3:16 PM
>> To: squid-users at lists.squid-cache.org
>> Subject: [squid-users] TPROXY Error
>>
>> By the help of God.
>>
>> Hi All,
>> I'm trying to configure squid as a transparent proxy using TPROXY.
>> The machine I'm using has 2 NICs, one for input and the other one for
>> output traffic.
>> The TPROXY iptables rules are configured on the input NIC.
>> It looks like iptables TPROXY redirect works but squid prints out the
>> following error:
>>
>> ERROR: NAT/TPROXY lookup failed to locate original IPs on
>> local=xxx:443 remote=xxx:49471 FD 14 flags=17
>>
>> I think I loaded all TPROXY required kernel modules.
>>
>> The ip forwarding works fine without the iptables rules. and I don't
>> see any squid ERROR on getsockopt
>>
>> Please let me know what I'm missing?
>>
>> Thanks,
>> Ben
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
More information about the squid-users
mailing list