[squid-users] IPv6 and TPROXY
Eliezer Croitoru
eliezer at ngtech.co.il
Mon Aug 14 19:41:55 UTC 2017
Hey Walter,
>From what I understood the only reason to use tproxy on CentOS 6 is since below kernel 3.18 and a specific version of iptables there is not NAT table for ipv6.
There for you cannot use REDIRECT for ipv6 on these machines.
But in your case you don't need a full tproxy but something like NAT REDIRECT.
If you can manage to test a newer kernel with newer iptables it would be pretty simple to "resolve" the issue avoiding tproxy usage.
But if you cannot use another kernel and iptables what you would need it a partially tproxy setup.
IE: tproxy on the incoming port only but not use transparent on the outgoing traffic.
This is where Amos and Alex experience and knowledge should come in handy and can help you to setup you system the right way.
Else then the above(since tproxy works on both CentOS 6 and 7 but differently) you will need your system to be setup correctly.
If you want me to test I have no issue to do so but it will take time.
I recommend you to first start with an ACCEPT for all traffic on the machine and test.
Also make sure to use "netstat -ntlp" or "ss -ntlp" to see on what ip+port squid is listening.(make sure it's really listening on ipv6 addres)
The squid.conf
http_port 13129 tproxy
should result on an IPv6 listening port (::) and if not then it's probably due to something in the kernel level and you will need to define a specific IPv6 address with the port.
Since you have full control on the environment and windows clients please try the next software:
http://moodle.ngtech.co.il/software/2017/03/05/switch-ie-proxy/
to set the proxy for the machine.
It's one of MS recommended one and I use it on all my windows machines without any need for interception in any of the systems(win xp till 10).
I have tested it with CentOS 7 and in the past with CentOS 6 but it's like there are missing pieces in the whole setup.
When you will set the system iptables to only contain the very basics which are ACCEPT all traffic(both INPUT\OUPUT\FORWARD) you will be able to move forward in the stack into squid.
If all the above just doesn't work, let me know and I will try to test it with a new CentOS 6 to make sure it works as expected.
All The Bests,
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: Walter H. [mailto:Walter.H at mathemainzel.info]
Sent: Sunday, August 13, 2017 21:31
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] IPv6 and TPROXY
Hello Eliezer
yes, because all my Linux systems are CentOS 6 ...
the router/firewall has a rule
-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j REJECT
any windows host inside this ipv6prefix has configured a proxy, but for
some reason e.g. there is HTTP traffic of CRLs or OCSP
that doesn't go through to the configured proxy, and is blocked ...
for this I need this TPROXY ...
(only IPv6 needs to be solved, IPv4 already runs perfekt)
Thanks,
Walter
On 13.08.2017 15:48, Eliezer Croitoru wrote:
> Hey,
>
> Is there a specific reason for the usage of CentOS 6?
> Also, do you need full tproxy featres or just to intercept the traffic?
>
> And Amos:
> Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible?
> Would the usage of:
> http://www.squid-cache.org/Doc/config/tcp_outgoing_address/
>
> override the tproxy function?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:Walter.H at mathemainzel.info]
> Sent: Saturday, August 12, 2017 22:03
> To: Eliezer Croitoru<eliezer at ngtech.co.il>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer,
>
> not really,
> as I don't understand, which IP squid needs to listen to
>
> in my squid.conf I have this:
>
> # Squid normally listens to port 3128
> http_port 127.0.0.1:3128
> http_port [::1]:3128
> http_port 192.168.1.1:3128
> http_port [ipv6prefix::1]:3128
> # Transparent Squid listens to port 3129 (IPv4 only)
> http_port 192.168.1.1:3129 transparent
> http_port [ipv6prefix::1]:3129 tproxy<-- does it need this?
> http_port [::1]:3129 tproxy<-- or this?
>
> the transparent proxy with ipv4 works ...
>
> just had to add the following
>
> e.g.
> iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80
> -j DNAT --to-destination 192.168.1.1:3129
>
> with IPv6 it is more complicated ...
>
> especially which IP6TABLES rule is meant by Amos question?
>
> "I don't see anywhere in that INPUT list where the TPROXY'd traffic is
> permitted to reach Squid. "
>
> does this mean:
>
> e.g. when I want to use TPROXY to IPv6 2a02:1788:2fd::b2ff:5302, I
> need to add
>
> ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j ACCEPT
> ?
>
> does this really need this two
> ip -6 ...
> commands, as I don't know what to add in a file in
> /etc/sysconfig/network-scripts ...
>
> Thanks,
> Walter
>
> On 12.08.2017 20:23, Eliezer Croitoru wrote:
>
More information about the squid-users
mailing list