[squid-users] IPv6 and TPROXY

Walter H. Walter.H at mathemainzel.info
Sun Aug 13 18:30:39 UTC 2017


Hello Eliezer

yes, because all my Linux systems are CentOS 6 ...

the router/firewall has a rule

-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 
-j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 
-j REJECT

any windows host inside this ipv6prefix has configured a proxy, but for 
some reason e.g. there is HTTP traffic of CRLs or OCSP
that doesn't go through to the configured proxy, and is blocked ...
for this I need this TPROXY ...
(only IPv6 needs to be solved, IPv4 already runs perfekt)

Thanks,
Walter

On 13.08.2017 15:48, Eliezer Croitoru wrote:
> Hey,
>
> Is there a specific reason for the usage of CentOS 6?
> Also, do you need full tproxy featres or just to intercept the traffic?
>
> And Amos:
> Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible?
> Would the usage of:
> http://www.squid-cache.org/Doc/config/tcp_outgoing_address/
>
> override the tproxy function?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:Walter.H at mathemainzel.info]
> Sent: Saturday, August 12, 2017 22:03
> To: Eliezer Croitoru<eliezer at ngtech.co.il>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer,
>
> not really,
> as I don't understand, which IP squid needs to listen to
>
> in my squid.conf I have this:
>
> # Squid normally listens to port 3128
> http_port 127.0.0.1:3128
> http_port [::1]:3128
> http_port 192.168.1.1:3128
> http_port [ipv6prefix::1]:3128
> # Transparent Squid listens to port 3129 (IPv4 only)
> http_port 192.168.1.1:3129 transparent
> http_port [ipv6prefix::1]:3129 tproxy<-- does it need this?
> http_port [::1]:3129 tproxy<-- or this?
>
> the transparent proxy with ipv4 works ...
>
> just had to add the following
>
> e.g.
> iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80
> -j DNAT --to-destination 192.168.1.1:3129
>
> with IPv6 it is more complicated ...
>
> especially which IP6TABLES rule is meant by Amos question?
>
> "I don't see anywhere in that INPUT list where the TPROXY'd traffic is
> permitted to reach Squid. "
>
> does this mean:
>
> e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I
> need to add
>
> ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j ACCEPT
> ?
>
> does this really need this two
> ip -6 ...
> commands, as I don't know what to add in a file in
> /etc/sysconfig/network-scripts ...
>
> Thanks,
> Walter
>
> On 12.08.2017 20:23, Eliezer Croitoru wrote:
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170813/fbe87872/attachment.bin>


More information about the squid-users mailing list