<div dir="rtl"><div dir="ltr">By the help of God.</div><div dir="ltr"><br></div><div dir="ltr">Sorry, </div><div dir="ltr">I thought I sent it in the last email.</div><div dir="ltr">I found out what was the problem, I built squid without libcap. :/</div><div dir="ltr"><br></div><div dir="ltr">Anyway sorry for the time loss, and thanks for your help.</div><div dir="ltr"><br></div><div dir="ltr">Regards,</div><div dir="ltr">Ben</div><div dir="ltr"><br></div><div dir="ltr"><br></div></div><br><div class="gmail_quote"><div dir="rtl" class="gmail_attr">בתאריך יום ג׳, 13 ביולי 2021 ב-13:48 מאת Eliezer Croitoru <<a href="mailto:ngtech1ltd@gmail.com">ngtech1ltd@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hey Ben,<br>
<br>
Still waiting for the relevant output.<br>
Once I will have the relevant details I will probably be able to verify how and what is the issue.<br>
<br>
Eliezer<br>
<br>
-----Original Message-----<br>
From: Eliezer Croitoru <<a href="mailto:ngtech1ltd@gmail.com" target="_blank">ngtech1ltd@gmail.com</a>> <br>
Sent: Thursday, July 8, 2021 12:04 AM<br>
To: '<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>' <<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
Cc: 'Ben Goz' <<a href="mailto:ben.goz87@gmail.com" target="_blank">ben.goz87@gmail.com</a>><br>
Subject: RE: [squid-users] TPROXY Error<br>
<br>
Hey Ben,<br>
<br>
You are missing the critical output of the full command:<br>
Ip route show table 100<br>
<br>
What you posted was:<br>
> 5. the output of 'ip route show table 100'<br>
$ ip route show<br>
default via 8.13.140.14 dev bond0.212 proto static<br>
<a href="http://1.21.213.0/24" rel="noreferrer" target="_blank">1.21.213.0/24</a> dev bond0.213 proto kernel scope link src 1.21.213.1<br>
<a href="http://8.11.39.248/30" rel="noreferrer" target="_blank">8.11.39.248/30</a> dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250<br>
<a href="http://8.13.140.0/28" rel="noreferrer" target="_blank">8.13.140.0/28</a> dev bond0.212 proto kernel scope link src 8.13.140.1<br>
<a href="http://8.13.144.0/20" rel="noreferrer" target="_blank">8.13.144.0/20</a> via 1.21.213.254 dev bond0.213<br>
8.13.148.1 via 1.21.213.254 dev bond0.213<br>
##<br>
<br>
It's important to see the relevant routing table.<br>
The linux Kernel have couple routing tables which each can contain different routing/forwarding table.<br>
If you want to understand a bit more you might be able to try and lookup for FIB.<br>
( take a peek at: <a href="http://linux-ip.net/html/routing-tables.html" rel="noreferrer" target="_blank">http://linux-ip.net/html/routing-tables.html</a>)<br>
<br>
Eliezer<br>
<br>
-----Original Message-----<br>
From: Ben Goz <<a href="mailto:ben.goz87@gmail.com" target="_blank">ben.goz87@gmail.com</a>> <br>
Sent: Wednesday, July 7, 2021 3:36 PM<br>
To: Eliezer Croitoru <<a href="mailto:ngtech1ltd@gmail.com" target="_blank">ngtech1ltd@gmail.com</a>>; <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
Subject: Re: [squid-users] TPROXY Error<br>
<br>
By the help of God.<br>
<br>
<br>
Hi Eliezer,<br>
<br>
Thanks for your help.<br>
<br>
Please let me know if you need more information.<br>
<br>
<br>
Regards,<br>
<br>
Ben<br>
<br>
On 07/07/2021 14:01, Eliezer Croitoru wrote:<br>
> Hey Ben,<br>
><br>
> I want to try and reset this issue because I am missing some technical<br>
> details.<br>
><br>
> 1. What Linux Distro and what version are you using?'<br>
Ubuntu 20.04<br>
> 2. the output of 'ip address'<br>
$ ip address<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN <br>
group default qlen 1000<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet <a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">127.0.0.1/8</a> scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host<br>
valid_lft forever preferred_lft forever<br>
2: ens1f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq <br>
master bond0 state UP group default qlen 1000<br>
link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff<br>
3: ens1f1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq <br>
master bond0 state UP group default qlen 1000<br>
link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff<br>
4: usb0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group <br>
default qlen 1000<br>
link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff<br>
5: enx00e04c3600d3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc <br>
fq_codel state UP group default qlen 1000<br>
link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff<br>
inet <a href="http://8.11.39.250/30" rel="noreferrer" target="_blank">8.11.39.250/30</a> brd 8.11.39.251 scope global enx00e04c3600d3<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::2e0:4cff:fe36:d3/64 scope link<br>
valid_lft forever preferred_lft forever<br>
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc <br>
noqueue state UP group default qlen 1000<br>
link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff<br>
inet6 fe80::b859:58ff:fe58:232b/64 scope link<br>
valid_lft forever preferred_lft forever<br>
7: bond0.212@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc <br>
noqueue state UP group default qlen 1000<br>
link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff<br>
inet <a href="http://8.13.140.1/28" rel="noreferrer" target="_blank">8.13.140.1/28</a> brd 8.13.140.15 scope global bond0.212<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::b859:58ff:fe58:232b/64 scope link<br>
valid_lft forever preferred_lft forever<br>
8: bond0.213@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc <br>
noqueue state UP group default qlen 1000<br>
link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff<br>
inet <a href="http://1.21.213.1/24" rel="noreferrer" target="_blank">1.21.213.1/24</a> brd 1.21.213.255 scope global bond0.213<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::b859:58ff:fe58:232b/64 scope link<br>
valid_lft forever preferred_lft forever<br>
> 3. the output of 'ip rule'<br>
$ ip rule<br>
0: from all lookup local<br>
32762: from all fwmark 0x1 lookup 100<br>
32763: from all fwmark 0x1 lookup 100<br>
32764: from all fwmark 0x1 lookup 100<br>
32765: from all fwmark 0x1 lookup 100<br>
32766: from all lookup main<br>
32767: from all lookup default<br>
<br>
> 4. the output of 'ip route show'<br>
<br>
$ ip route show<br>
default via 8.13.140.14 dev bond0.212 proto static<br>
<a href="http://1.21.213.0/24" rel="noreferrer" target="_blank">1.21.213.0/24</a> dev bond0.213 proto kernel scope link src 1.21.213.1<br>
<a href="http://8.11.39.248/30" rel="noreferrer" target="_blank">8.11.39.248/30</a> dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250<br>
<a href="http://8.13.140.0/28" rel="noreferrer" target="_blank">8.13.140.0/28</a> dev bond0.212 proto kernel scope link src 8.13.140.1<br>
<a href="http://8.13.144.0/20" rel="noreferrer" target="_blank">8.13.144.0/20</a> via 1.21.213.254 dev bond0.213<br>
8.13.148.1 via 1.21.213.254 dev bond0.213<br>
<br>
> 5. the output of 'ip route show table 100'<br>
$ ip route show<br>
default via 8.13.140.14 dev bond0.212 proto static<br>
<a href="http://1.21.213.0/24" rel="noreferrer" target="_blank">1.21.213.0/24</a> dev bond0.213 proto kernel scope link src 1.21.213.1<br>
<a href="http://8.11.39.248/30" rel="noreferrer" target="_blank">8.11.39.248/30</a> dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250<br>
<a href="http://8.13.140.0/28" rel="noreferrer" target="_blank">8.13.140.0/28</a> dev bond0.212 proto kernel scope link src 8.13.140.1<br>
<a href="http://8.13.144.0/20" rel="noreferrer" target="_blank">8.13.144.0/20</a> via 1.21.213.254 dev bond0.213<br>
8.13.148.1 via 1.21.213.254 dev bond0.213<br>
> 6. the output of 'iptables-save'<br>
<br>
<br>
$ sudo iptables-save<br>
# Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021<br>
*mangle<br>
:PREROUTING ACCEPT [72898710:6084386298]<br>
:INPUT ACCEPT [0:0]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [0:0]<br>
:POSTROUTING ACCEPT [0:0]<br>
:DIVERT - [0:0]<br>
-A PREROUTING -p tcp -m socket -j DIVERT<br>
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 80 -j TPROXY --on-port <br>
15644 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1<br>
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 443 -j TPROXY --on-port <br>
15645 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1<br>
-A INPUT -j ACCEPT<br>
-A FORWARD -j ACCEPT<br>
-A OUTPUT -j ACCEPT<br>
-A POSTROUTING -j ACCEPT<br>
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff<br>
-A DIVERT -j ACCEPT<br>
COMMIT<br>
# Completed on Wed Jul 7 12:25:05 2021<br>
# Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021<br>
*nat<br>
:PREROUTING ACCEPT [26338415:1392747531]<br>
:INPUT ACCEPT [820462:44161193]<br>
:OUTPUT ACCEPT [1053:92773]<br>
:POSTROUTING ACCEPT [25514534:1348449899]<br>
-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53<br>
-A PREROUTING -i eth1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53<br>
COMMIT<br>
# Completed on Wed Jul 7 12:25:05 2021<br>
# Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021<br>
*filter<br>
:INPUT ACCEPT [5045387:2170630036]<br>
:FORWARD ACCEPT [72544426:6194710400]<br>
:OUTPUT ACCEPT [2471930:252759773]<br>
COMMIT<br>
# Completed on Wed Jul 7 12:25:05 20<br>
<br>
> 7. the output of 'nft -nn list ruleset' (if exists on the OS)<br>
Doesn't exists.<br>
> 8. the output of your squid.conf<br>
$ cat squid.conf<br>
#<br>
# Recommended minimum configuration:<br>
#<br>
<br>
# Example rule allowing access from your local networks.<br>
# Adapt to list your (internal) IP networks from where browsing<br>
# should be allowed<br>
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)<br>
acl localnet src <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a> # RFC 1918 local private network (LAN)<br>
acl localnet src <a href="http://100.64.0.0/10" rel="noreferrer" target="_blank">100.64.0.0/10</a> # RFC 6598 shared address space (CGN)<br>
acl localnet src <a href="http://169.254.0.0/16" rel="noreferrer" target="_blank">169.254.0.0/16</a> # RFC 3927 link-local (directly <br>
plugged) machines<br>
acl localnet src <a href="http://172.16.0.0/12" rel="noreferrer" target="_blank">172.16.0.0/12</a> # RFC 1918 local private network (LAN)<br>
acl localnet src <a href="http://192.168.0.0/16" rel="noreferrer" target="_blank">192.168.0.0/16</a> # RFC 1918 local private network <br>
(LAN)<br>
acl localnet src fc00::/7 # RFC 4193 local private network range<br>
acl localnet src fe80::/10 # RFC 4291 link-local (directly <br>
plugged) machines<br>
<br>
acl SSL_ports port 443<br>
acl Safe_ports port 80 # http<br>
acl Safe_ports port 21 # ftp<br>
acl Safe_ports port 443 # https<br>
acl Safe_ports port 70 # gopher<br>
acl Safe_ports port 210 # wais<br>
acl Safe_ports port 1025-65535 # unregistered ports<br>
acl Safe_ports port 280 # http-mgmt<br>
acl Safe_ports port 488 # gss-http<br>
acl Safe_ports port 591 # filemaker<br>
acl Safe_ports port 777 # multiling http<br>
acl CONNECT method CONNECT<br>
<br>
#<br>
# Recommended minimum Access Permission configuration:<br>
#<br>
# Deny requests to certain unsafe ports<br>
http_access deny !Safe_ports<br>
<br>
# Deny CONNECT to other than secure SSL ports<br>
http_access deny CONNECT !SSL_ports<br>
<br>
# Only allow cachemgr access from localhost<br>
http_access allow localhost manager<br>
http_access deny manager<br>
<br>
# We strongly recommend the following be uncommented to protect innocent<br>
# web applications running on the proxy server who think the only<br>
# one who can access services on "localhost" is a local user<br>
#http_access deny to_localhost<br>
<br>
#<br>
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br>
#<br>
<br>
# Example rule allowing access from your local networks.<br>
# Adapt localnet in the ACL section to list your (internal) IP networks<br>
# from where browsing should be allowed<br>
http_access allow localnet<br>
http_access allow localhost<br>
<br>
# And finally deny all other access to this proxy<br>
#http_access deny all<br>
<br>
http_access allow all<br>
<br>
# Squid normally listens to port 3128<br>
http_port 15643<br>
http_port 15644 tproxy<br>
https_port 15645 ssl-bump tproxy generate-host-certificates=on <br>
options=ALL dynamic_cert_mem_cache_size=4MB <br>
cert=/usr/local/squid/etc/ssl_cert/myCA.pem <br>
dhparams=/usr/local/squid/etc/dhparam.pem<br>
always_direct allow all<br>
acl DiscoverSNIHost at_step SslBump1<br>
acl NoSSLInterceptRegexp_always ssl::server_name_regex -i xxx<br>
acl NoSSLIntercept ssl::server_name "xxx"<br>
acl NoSSLInterceptRegexp ssl::server_name_regex -i "xxx"<br>
ssl_bump splice NoSSLInterceptRegexp_always<br>
ssl_bump splice NoSSLIntercept<br>
ssl_bump splice NoSSLInterceptRegexp<br>
ssl_bump peek DiscoverSNIHost<br>
ssl_bump bump all<br>
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s <br>
/var/lib/ssl_db -M 4MB<br>
sslcrtd_children 32 startup=15 idle=3<br>
#sslproxy_capath /etc/ssl/certs<br>
<br>
# Uncomment and adjust the following to add a disk cache directory.<br>
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256<br>
<br>
# Leave coredumps in the first cache dir<br>
coredump_dir /usr/local/squid/var/cache/squid<br>
<br>
#<br>
# Add any of your own refresh_pattern entries above these.<br>
#<br>
refresh_pattern ^ftp: 1440 20% 10080<br>
refresh_pattern ^gopher: 1440 0% 1440<br>
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
refresh_pattern . 0 20% 4320<br>
<br>
range_offset_limit -1<br>
<br>
dns_v4_first on<br>
forwarded_for off<br>
cache deny all<br>
> 9. the output of 'squid -v'<br>
$ ./squid -v<br>
Squid Cache: Version 4.15<br>
Service Name: squid<br>
<br>
This binary uses OpenSSL 1.1.1f 31 Mar 2020. For legal restrictions on <br>
distribution see <a href="https://www.openssl.org/source/license.html" rel="noreferrer" target="_blank">https://www.openssl.org/source/license.html</a><br>
<br>
configure options: '--with-openssl' '--enable-ssl-crtd' '--enable-ecap' <br>
'--enable-linux-netfilter' --enable-ltdl-convenience<br>
<br>
> 10. the output of 'uname -a'<br>
uname -a<br>
Linux xxx 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 <br>
x86_64 x86_64 x86_64 GNU/Linux<br>
><br>
> Once we will have all the above details (reducing/modifying any private<br>
> details) we can try to maybe help you.<br>
><br>
> Eliezer<br>
><br>
> -----Original Message-----<br>
> From: squid-users <<a href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank">squid-users-bounces@lists.squid-cache.org</a>> On Behalf Of<br>
> Ben Goz<br>
> Sent: Wednesday, June 30, 2021 3:16 PM<br>
> To: <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> Subject: [squid-users] TPROXY Error<br>
><br>
> By the help of God.<br>
><br>
> Hi All,<br>
> I'm trying to configure squid as a transparent proxy using TPROXY.<br>
> The machine I'm using has 2 NICs, one for input and the other one for<br>
> output traffic.<br>
> The TPROXY iptables rules are configured on the input NIC.<br>
> It looks like iptables TPROXY redirect works but squid prints out the<br>
> following error:<br>
><br>
> ERROR: NAT/TPROXY lookup failed to locate original IPs on<br>
> local=xxx:443 remote=xxx:49471 FD 14 flags=17<br>
><br>
> I think I loaded all TPROXY required kernel modules.<br>
><br>
> The ip forwarding works fine without the iptables rules. and I don't<br>
> see any squid ERROR on getsockopt<br>
><br>
> Please let me know what I'm missing?<br>
><br>
> Thanks,<br>
> Ben<br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
<br>
</blockquote></div>