[squid-users] TPROXY Error
Eliezer Croitoru
ngtech1ltd at gmail.com
Tue Jul 13 10:48:21 UTC 2021
Hey Ben,
Still waiting for the relevant output.
Once I will have the relevant details I will probably be able to verify how and what is the issue.
Eliezer
-----Original Message-----
From: Eliezer Croitoru <ngtech1ltd at gmail.com>
Sent: Thursday, July 8, 2021 12:04 AM
To: 'squid-users at lists.squid-cache.org' <squid-users at lists.squid-cache.org>
Cc: 'Ben Goz' <ben.goz87 at gmail.com>
Subject: RE: [squid-users] TPROXY Error
Hey Ben,
You are missing the critical output of the full command:
Ip route show table 100
What you posted was:
> 5. the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
##
It's important to see the relevant routing table.
The linux Kernel have couple routing tables which each can contain different routing/forwarding table.
If you want to understand a bit more you might be able to try and lookup for FIB.
( take a peek at: http://linux-ip.net/html/routing-tables.html)
Eliezer
-----Original Message-----
From: Ben Goz <ben.goz87 at gmail.com>
Sent: Wednesday, July 7, 2021 3:36 PM
To: Eliezer Croitoru <ngtech1ltd at gmail.com>; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] TPROXY Error
By the help of God.
Hi Eliezer,
Thanks for your help.
Please let me know if you need more information.
Regards,
Ben
On 07/07/2021 14:01, Eliezer Croitoru wrote:
> Hey Ben,
>
> I want to try and reset this issue because I am missing some technical
> details.
>
> 1. What Linux Distro and what version are you using?'
Ubuntu 20.04
> 2. the output of 'ip address'
$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens1f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq
master bond0 state UP group default qlen 1000
link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
3: ens1f1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq
master bond0 state UP group default qlen 1000
link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
4: usb0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
5: enx00e04c3600d3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
fq_codel state UP group default qlen 1000
link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
valid_lft forever preferred_lft forever
inet6 fe80::2e0:4cff:fe36:d3/64 scope link
valid_lft forever preferred_lft forever
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
7: bond0.212 at bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
valid_lft forever preferred_lft forever
inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
8: bond0.213 at bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
valid_lft forever preferred_lft forever
inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
> 3. the output of 'ip rule'
$ ip rule
0: from all lookup local
32762: from all fwmark 0x1 lookup 100
32763: from all fwmark 0x1 lookup 100
32764: from all fwmark 0x1 lookup 100
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default
> 4. the output of 'ip route show'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
> 5. the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
> 6. the output of 'iptables-save'
$ sudo iptables-save
# Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021
*mangle
:PREROUTING ACCEPT [72898710:6084386298]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 80 -j TPROXY --on-port
15644 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 443 -j TPROXY --on-port
15645 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A INPUT -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -j ACCEPT
-A POSTROUTING -j ACCEPT
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT
# Completed on Wed Jul 7 12:25:05 2021
# Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021
*nat
:PREROUTING ACCEPT [26338415:1392747531]
:INPUT ACCEPT [820462:44161193]
:OUTPUT ACCEPT [1053:92773]
:POSTROUTING ACCEPT [25514534:1348449899]
-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -i eth1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
COMMIT
# Completed on Wed Jul 7 12:25:05 2021
# Generated by iptables-save v1.8.4 on Wed Jul 7 12:25:05 2021
*filter
:INPUT ACCEPT [5045387:2170630036]
:FORWARD ACCEPT [72544426:6194710400]
:OUTPUT ACCEPT [2471930:252759773]
COMMIT
# Completed on Wed Jul 7 12:25:05 20
> 7. the output of 'nft -nn list ruleset' (if exists on the OS)
Doesn't exists.
> 8. the output of your squid.conf
$ cat squid.conf
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
#http_access deny all
http_access allow all
# Squid normally listens to port 3128
http_port 15643
http_port 15644 tproxy
https_port 15645 ssl-bump tproxy generate-host-certificates=on
options=ALL dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/etc/ssl_cert/myCA.pem
dhparams=/usr/local/squid/etc/dhparam.pem
always_direct allow all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLInterceptRegexp_always ssl::server_name_regex -i xxx
acl NoSSLIntercept ssl::server_name "xxx"
acl NoSSLInterceptRegexp ssl::server_name_regex -i "xxx"
ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump splice NoSSLIntercept
ssl_bump splice NoSSLInterceptRegexp
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=15 idle=3
#sslproxy_capath /etc/ssl/certs
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
range_offset_limit -1
dns_v4_first on
forwarded_for off
cache deny all
> 9. the output of 'squid -v'
$ ./squid -v
Squid Cache: Version 4.15
Service Name: squid
This binary uses OpenSSL 1.1.1f 31 Mar 2020. For legal restrictions on
distribution see https://www.openssl.org/source/license.html
configure options: '--with-openssl' '--enable-ssl-crtd' '--enable-ecap'
'--enable-linux-netfilter' --enable-ltdl-convenience
> 10. the output of 'uname -a'
uname -a
Linux xxx 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021
x86_64 x86_64 x86_64 GNU/Linux
>
> Once we will have all the above details (reducing/modifying any private
> details) we can try to maybe help you.
>
> Eliezer
>
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of
> Ben Goz
> Sent: Wednesday, June 30, 2021 3:16 PM
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] TPROXY Error
>
> By the help of God.
>
> Hi All,
> I'm trying to configure squid as a transparent proxy using TPROXY.
> The machine I'm using has 2 NICs, one for input and the other one for
> output traffic.
> The TPROXY iptables rules are configured on the input NIC.
> It looks like iptables TPROXY redirect works but squid prints out the
> following error:
>
> ERROR: NAT/TPROXY lookup failed to locate original IPs on
> local=xxx:443 remote=xxx:49471 FD 14 flags=17
>
> I think I loaded all TPROXY required kernel modules.
>
> The ip forwarding works fine without the iptables rules. and I don't
> see any squid ERROR on getsockopt
>
> Please let me know what I'm missing?
>
> Thanks,
> Ben
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list