[squid-users] TPROXY Error

Ben Goz ben.goz87 at gmail.com
Tue Jul 13 10:58:06 UTC 2021 

By the help of God.

Sorry,
I thought I sent it in the last email.
I found out what was the problem, I built squid without libcap. :/

Anyway sorry for the time loss, and thanks for your help.

Regards,
Ben



‫בתאריך יום ג׳, 13 ביולי 2021 ב-13:48 מאת ‪Eliezer Croitoru‬‏ <‪
ngtech1ltd at gmail.com‬‏>:‬

> Hey Ben,
>
> Still waiting for the relevant output.
> Once I will have the relevant details I will probably be able to verify
> how and what is the issue.
>
> Eliezer
>
> -----Original Message-----
> From: Eliezer Croitoru <ngtech1ltd at gmail.com>
> Sent: Thursday, July 8, 2021 12:04 AM
> To: 'squid-users at lists.squid-cache.org' <squid-users at lists.squid-cache.org
> >
> Cc: 'Ben Goz' <ben.goz87 at gmail.com>
> Subject: RE: [squid-users] TPROXY Error
>
> Hey Ben,
>
> You are missing the critical output of the full command:
> Ip route show table 100
>
> What you posted was:
> > 5.  the output of 'ip route show table 100'
> $ ip route show
> default via 8.13.140.14 dev bond0.212 proto static
> 1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
> 8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
> 8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
> 8.13.144.0/20 via 1.21.213.254 dev bond0.213
> 8.13.148.1 via 1.21.213.254 dev bond0.213
> ##
>
> It's important to see the relevant routing table.
> The linux Kernel have couple routing tables which each can contain
> different routing/forwarding table.
> If you want to understand a bit more you might be able to try and lookup
> for FIB.
> ( take a peek at: http://linux-ip.net/html/routing-tables.html)
>
> Eliezer
>
> -----Original Message-----
> From: Ben Goz <ben.goz87 at gmail.com>
> Sent: Wednesday, July 7, 2021 3:36 PM
> To: Eliezer Croitoru <ngtech1ltd at gmail.com>;
> squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] TPROXY Error
>
> By the help of God.
>
>
> Hi Eliezer,
>
> Thanks for your help.
>
> Please let me know if you need more information.
>
>
> Regards,
>
> Ben
>
> On 07/07/2021 14:01, Eliezer Croitoru wrote:
> > Hey Ben,
> >
> > I want to try and reset this issue because I am missing some technical
> > details.
> >
> > 1. What Linux Distro and what version are you using?'
> Ubuntu 20.04
> > 2. the output of 'ip address'
> $ ip address
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>         valid_lft forever preferred_lft forever
>      inet6 ::1/128 scope host
>         valid_lft forever preferred_lft forever
> 2: ens1f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq
> master bond0 state UP group default qlen 1000
>      link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
> 3: ens1f1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq
> master bond0 state UP group default qlen 1000
>      link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
> 4: usb0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
>      link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
> 5: enx00e04c3600d3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> fq_codel state UP group default qlen 1000
>      link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
>      inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
>         valid_lft forever preferred_lft forever
>      inet6 fe80::2e0:4cff:fe36:d3/64 scope link
>         valid_lft forever preferred_lft forever
> 6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
>      link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
>      inet6 fe80::b859:58ff:fe58:232b/64 scope link
>         valid_lft forever preferred_lft forever
> 7: bond0.212 at bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
>      link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
>      inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
>         valid_lft forever preferred_lft forever
>      inet6 fe80::b859:58ff:fe58:232b/64 scope link
>         valid_lft forever preferred_lft forever
> 8: bond0.213 at bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
>      link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
>      inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
>         valid_lft forever preferred_lft forever
>      inet6 fe80::b859:58ff:fe58:232b/64 scope link
>         valid_lft forever preferred_lft forever
> > 3. the output of 'ip rule'
> $ ip rule
> 0:    from all lookup local
> 32762:    from all fwmark 0x1 lookup 100
> 32763:    from all fwmark 0x1 lookup 100
> 32764:    from all fwmark 0x1 lookup 100
> 32765:    from all fwmark 0x1 lookup 100
> 32766:    from all lookup main
> 32767:    from all lookup default
>
> > 4.  the output of 'ip route show'
>
> $ ip route show
> default via 8.13.140.14 dev bond0.212 proto static
> 1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
> 8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
> 8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
> 8.13.144.0/20 via 1.21.213.254 dev bond0.213
> 8.13.148.1 via 1.21.213.254 dev bond0.213
>
> > 5.  the output of 'ip route show table 100'
> $ ip route show
> default via 8.13.140.14 dev bond0.212 proto static
> 1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
> 8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
> 8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
> 8.13.144.0/20 via 1.21.213.254 dev bond0.213
> 8.13.148.1 via 1.21.213.254 dev bond0.213
> > 6. the output of 'iptables-save'
>
>
> $ sudo iptables-save
> # Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
> *mangle
> :PREROUTING ACCEPT [72898710:6084386298]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :DIVERT - [0:0]
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -i bond0.213 -p tcp -m tcp --dport 80 -j TPROXY --on-port
> 15644 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
> -A PREROUTING -i bond0.213 -p tcp -m tcp --dport 443 -j TPROXY --on-port
> 15645 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
> -A INPUT -j ACCEPT
> -A FORWARD -j ACCEPT
> -A OUTPUT -j ACCEPT
> -A POSTROUTING -j ACCEPT
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j ACCEPT
> COMMIT
> # Completed on Wed Jul  7 12:25:05 2021
> # Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
> *nat
> :PREROUTING ACCEPT [26338415:1392747531]
> :INPUT ACCEPT [820462:44161193]
> :OUTPUT ACCEPT [1053:92773]
> :POSTROUTING ACCEPT [25514534:1348449899]
> -A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
> COMMIT
> # Completed on Wed Jul  7 12:25:05 2021
> # Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
> *filter
> :INPUT ACCEPT [5045387:2170630036]
> :FORWARD ACCEPT [72544426:6194710400]
> :OUTPUT ACCEPT [2471930:252759773]
> COMMIT
> # Completed on Wed Jul  7 12:25:05 20
>
> > 7. the output of 'nft -nn list ruleset' (if exists on the OS)
> Doesn't exists.
> > 8. the output of your squid.conf
> $ cat squid.conf
> #
> # Recommended minimum configuration:
> #
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 0.0.0.1-0.255.255.255    # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8        # RFC 1918 local private network (LAN)
> acl localnet src 100.64.0.0/10        # RFC 6598 shared address space
> (CGN)
> acl localnet src 169.254.0.0/16     # RFC 3927 link-local (directly
> plugged) machines
> acl localnet src 172.16.0.0/12        # RFC 1918 local private network
> (LAN)
> acl localnet src 192.168.0.0/16        # RFC 1918 local private network
> (LAN)
> acl localnet src fc00::/7           # RFC 4193 local private network range
> acl localnet src fe80::/10          # RFC 4291 link-local (directly
> plugged) machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> #http_access deny all
>
> http_access allow all
>
> # Squid normally listens to port 3128
> http_port 15643
> http_port 15644 tproxy
> https_port 15645 ssl-bump tproxy generate-host-certificates=on
> options=ALL dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> dhparams=/usr/local/squid/etc/dhparam.pem
> always_direct allow all
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLInterceptRegexp_always ssl::server_name_regex -i xxx
> acl NoSSLIntercept ssl::server_name  "xxx"
> acl NoSSLInterceptRegexp ssl::server_name_regex -i "xxx"
> ssl_bump splice NoSSLInterceptRegexp_always
> ssl_bump splice NoSSLIntercept
> ssl_bump splice NoSSLInterceptRegexp
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> sslcrtd_children 32 startup=15 idle=3
> #sslproxy_capath /etc/ssl/certs
>
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache/squid
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320
>
> range_offset_limit -1
>
> dns_v4_first on
> forwarded_for off
> cache deny all
> > 9. the output of 'squid -v'
> $ ./squid -v
> Squid Cache: Version 4.15
> Service Name: squid
>
> This binary uses OpenSSL 1.1.1f  31 Mar 2020. For legal restrictions on
> distribution see https://www.openssl.org/source/license.html
>
> configure options:  '--with-openssl' '--enable-ssl-crtd' '--enable-ecap'
> '--enable-linux-netfilter' --enable-ltdl-convenience
>
> > 10. the output of 'uname -a'
> uname -a
> Linux xxx 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021
> x86_64 x86_64 x86_64 GNU/Linux
> >
> > Once we will have all the above details (reducing/modifying any private
> > details) we can try to maybe help you.
> >
> > Eliezer
> >
> > -----Original Message-----
> > From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf
> Of
> > Ben Goz
> > Sent: Wednesday, June 30, 2021 3:16 PM
> > To: squid-users at lists.squid-cache.org
> > Subject: [squid-users] TPROXY Error
> >
> >   By the help of God.
> >
> > Hi All,
> > I'm trying to configure squid as a transparent proxy using TPROXY.
> > The machine I'm using has 2 NICs, one for input and the other one for
> > output traffic.
> > The TPROXY iptables rules are configured on the input NIC.
> > It looks like iptables TPROXY redirect works but squid prints out the
> > following error:
> >
> > ERROR: NAT/TPROXY lookup failed to locate original IPs on
> > local=xxx:443 remote=xxx:49471 FD 14 flags=17
> >
> > I think I loaded all TPROXY required kernel modules.
> >
> > The ip forwarding works fine without the iptables rules. and I don't
> > see any squid ERROR on getsockopt
> >
> > Please let me know what I'm missing?
> >
> > Thanks,
> > Ben
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210713/203f7b0e/attachment-0001.htm>

More information about the squid-users mailing list