[squid-users] IPv6 and TPROXY

[Amos Jeffries]

On 10/08/17 15:48, Walter H. wrote:
> Hello Eliezer
> 
> ip -6 rule is this
> 
> 0:      from all lookup local
> 32765:  from all fwmark 0x1 lookup 100
> 32766:  from all lookup main
> 
> the two commands where
> 
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev br0 table 100
> 
> ip6tables-save is this
> <BEGIN>
> 
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm 
> --to 84 -m tcp --dport 80 -j DROP
> -A INPUT -m rt --rt-type 0 -j DROP
> -A INPUT -m state --state INVALID -j DROP
> -A INPUT -s fe80::/10 -j ACCEPT
> -A INPUT -d ff00::/8 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 
> -m state --state NEW -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 
> -m state --state NEW -j ACCEPT

I don't see anywhere in that INPUT list where the TPROXY'd traffic is 
permitted to reach Squid.

Note that with TPROXY the packets are *not* labeled as going to port 
3129 like NAT does. The exact same dst-IP:port details used by the 
client are seen at this layer of iptables. It is just that they are seen 
on the INPUT rather than FORWARD tables.

I would add a LOG line at the end of the rules to check whether the 
above is the problem, then adjust your INPUT restrictions appropriately 
to what the log line implies.


Amos