subject:"Re\: \[squid\-users\] TPROXY Error"

Re: [squid-users] TPROXY Error

2021-07-13 Thread Eliezer Croitoru

Hey Ben,

Still waiting for the relevant output.
Once I will have the relevant details I will probably be able to verify how and 
what is the issue.

Eliezer

-Original Message-
From: Eliezer Croitoru  
Sent: Thursday, July 8, 2021 12:04 AM
To: 'squid-users@lists.squid-cache.org' 
Cc: 'Ben Goz' 
Subject: RE: [squid-users] TPROXY Error

Hey Ben,

You are missing the critical output of the full command:
Ip route show table 100

What you posted was:
> 5.  the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
##

It's important to see the relevant routing table.
The linux Kernel have couple routing tables which each can contain different 
routing/forwarding table.
If you want to understand a bit more you might be able to try and lookup for 
FIB.
( take a peek at: http://linux-ip.net/html/routing-tables.html)

Eliezer

-Original Message-
From: Ben Goz  
Sent: Wednesday, July 7, 2021 3:36 PM
To: Eliezer Croitoru ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TPROXY Error

By the help of God.


Hi Eliezer,

Thanks for your help.

Please let me know if you need more information.


Regards,

Ben

On 07/07/2021 14:01, Eliezer Croitoru wrote:
> Hey Ben,
>
> I want to try and reset this issue because I am missing some technical
> details.
>
> 1. What Linux Distro and what version are you using?'
Ubuntu 20.04
> 2. the output of 'ip address'
$ ip address
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens1f0:  mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
3: ens1f1:  mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
4: usb0:  mtu 1500 qdisc noop state DOWN group 
default qlen 1000
 link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
5: enx00e04c3600d3:  mtu 1500 qdisc 
fq_codel state UP group default qlen 1000
 link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
 inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
valid_lft forever preferred_lft forever
 inet6 fe80::2e0:4cff:fe36:d3/64 scope link
valid_lft forever preferred_lft forever
6: bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
7: bond0.212@bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
valid_lft forever preferred_lft forever
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
8: bond0.213@bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
valid_lft forever preferred_lft forever
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
> 3. the output of 'ip rule'
$ ip rule
0:from all lookup local
32762:from all fwmark 0x1 lookup 100
32763:from all fwmark 0x1 lookup 100
32764:from all fwmark 0x1 lookup 100
32765:from all fwmark 0x1 lookup 100
32766:from all lookup main
32767:from all lookup default

> 4.  the output of 'ip route show'

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213

> 5.  the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
> 6. the output of 'iptables-save'


$ sudo iptables-save
# Generated by iptable

Re: [squid-users] TPROXY Error

2021-07-08 Thread Ben Goz


By the help of God.

It looks like the point of failure (?)

BTW, My kernel already contains the required tproxy drivers by default 
correct?



Regards,

Ben

On 08/07/2021 0:03, Eliezer Croitoru wrote:

Hey Ben,

You are missing the critical output of the full command:
Ip route show table 100

What you posted was:

5.  the output of 'ip route show table 100'

$ ip route show table 100
local default dev lo scope host

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
##

It's important to see the relevant routing table.
The linux Kernel have couple routing tables which each can contain different 
routing/forwarding table.
If you want to understand a bit more you might be able to try and lookup for 
FIB.
( take a peek at: http://linux-ip.net/html/routing-tables.html)

Eliezer

-Original Message-
From: Ben Goz 
Sent: Wednesday, July 7, 2021 3:36 PM
To: Eliezer Croitoru ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TPROXY Error

By the help of God.


Hi Eliezer,

Thanks for your help.

Please let me know if you need more information.


Regards,

Ben

On 07/07/2021 14:01, Eliezer Croitoru wrote:

Hey Ben,

I want to try and reset this issue because I am missing some technical
details.

1. What Linux Distro and what version are you using?'

Ubuntu 20.04

2. the output of 'ip address'

$ ip address
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  inet 127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
  inet6 ::1/128 scope host
 valid_lft forever preferred_lft forever
2: ens1f0:  mtu 1500 qdisc mq
master bond0 state UP group default qlen 1000
  link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
3: ens1f1:  mtu 1500 qdisc mq
master bond0 state UP group default qlen 1000
  link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
4: usb0:  mtu 1500 qdisc noop state DOWN group
default qlen 1000
  link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
5: enx00e04c3600d3:  mtu 1500 qdisc
fq_codel state UP group default qlen 1000
  link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
  inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
 valid_lft forever preferred_lft forever
  inet6 fe80::2e0:4cff:fe36:d3/64 scope link
 valid_lft forever preferred_lft forever
6: bond0:  mtu 1500 qdisc
noqueue state UP group default qlen 1000
  link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
  inet6 fe80::b859:58ff:fe58:232b/64 scope link
 valid_lft forever preferred_lft forever
7: bond0.212@bond0:  mtu 1500 qdisc
noqueue state UP group default qlen 1000
  link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
  inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
 valid_lft forever preferred_lft forever
  inet6 fe80::b859:58ff:fe58:232b/64 scope link
 valid_lft forever preferred_lft forever
8: bond0.213@bond0:  mtu 1500 qdisc
noqueue state UP group default qlen 1000
  link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
  inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
 valid_lft forever preferred_lft forever
  inet6 fe80::b859:58ff:fe58:232b/64 scope link
 valid_lft forever preferred_lft forever

3. the output of 'ip rule'

$ ip rule
0:from all lookup local
32762:from all fwmark 0x1 lookup 100
32763:from all fwmark 0x1 lookup 100
32764:from all fwmark 0x1 lookup 100
32765:from all fwmark 0x1 lookup 100
32766:from all lookup main
32767:from all lookup default


4.  the output of 'ip route show'

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213


5.  the output of 'ip route show table 100'

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213

6. the output of 'iptables-save'


$ sudo iptables-save
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*mangle
:PREROUTING ACCEPT [72898710:6084386298]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [

Re: [squid-users] TPROXY Error

2021-07-07 Thread Eliezer Croitoru

Hey Ben,

You are missing the critical output of the full command:
Ip route show table 100

What you posted was:
> 5.  the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
##

It's important to see the relevant routing table.
The linux Kernel have couple routing tables which each can contain different 
routing/forwarding table.
If you want to understand a bit more you might be able to try and lookup for 
FIB.
( take a peek at: http://linux-ip.net/html/routing-tables.html)

Eliezer

-Original Message-
From: Ben Goz  
Sent: Wednesday, July 7, 2021 3:36 PM
To: Eliezer Croitoru ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TPROXY Error

By the help of God.


Hi Eliezer,

Thanks for your help.

Please let me know if you need more information.


Regards,

Ben

On 07/07/2021 14:01, Eliezer Croitoru wrote:
> Hey Ben,
>
> I want to try and reset this issue because I am missing some technical
> details.
>
> 1. What Linux Distro and what version are you using?'
Ubuntu 20.04
> 2. the output of 'ip address'
$ ip address
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens1f0:  mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
3: ens1f1:  mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
4: usb0:  mtu 1500 qdisc noop state DOWN group 
default qlen 1000
 link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
5: enx00e04c3600d3:  mtu 1500 qdisc 
fq_codel state UP group default qlen 1000
 link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
 inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
valid_lft forever preferred_lft forever
 inet6 fe80::2e0:4cff:fe36:d3/64 scope link
valid_lft forever preferred_lft forever
6: bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
7: bond0.212@bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
valid_lft forever preferred_lft forever
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
8: bond0.213@bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
valid_lft forever preferred_lft forever
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
> 3. the output of 'ip rule'
$ ip rule
0:from all lookup local
32762:from all fwmark 0x1 lookup 100
32763:from all fwmark 0x1 lookup 100
32764:from all fwmark 0x1 lookup 100
32765:from all fwmark 0x1 lookup 100
32766:from all lookup main
32767:from all lookup default

> 4.  the output of 'ip route show'

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213

> 5.  the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
> 6. the output of 'iptables-save'


$ sudo iptables-save
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*mangle
:PREROUTING ACCEPT [72898710:6084386298]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 80 -j TPROXY --on-port 
15644 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A PREROUTI

Re: [squid-users] TPROXY Error

2021-07-07 Thread Ben Goz


By the help of God.


Hi Eliezer,

Thanks for your help.

Please let me know if you need more information.


Regards,

Ben

On 07/07/2021 14:01, Eliezer Croitoru wrote:

Hey Ben,

I want to try and reset this issue because I am missing some technical
details.

1. What Linux Distro and what version are you using?'

Ubuntu 20.04

2. the output of 'ip address'

$ ip address
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: ens1f0:  mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000

    link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
3: ens1f1:  mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000

    link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
4: usb0:  mtu 1500 qdisc noop state DOWN group 
default qlen 1000

    link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
5: enx00e04c3600d3:  mtu 1500 qdisc 
fq_codel state UP group default qlen 1000

    link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
    inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
   valid_lft forever preferred_lft forever
    inet6 fe80::2e0:4cff:fe36:d3/64 scope link
   valid_lft forever preferred_lft forever
6: bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000

    link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::b859:58ff:fe58:232b/64 scope link
   valid_lft forever preferred_lft forever
7: bond0.212@bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000

    link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
    inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
   valid_lft forever preferred_lft forever
    inet6 fe80::b859:58ff:fe58:232b/64 scope link
   valid_lft forever preferred_lft forever
8: bond0.213@bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000

    link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
    inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
   valid_lft forever preferred_lft forever
    inet6 fe80::b859:58ff:fe58:232b/64 scope link
   valid_lft forever preferred_lft forever

3. the output of 'ip rule'

$ ip rule
0:    from all lookup local
32762:    from all fwmark 0x1 lookup 100
32763:    from all fwmark 0x1 lookup 100
32764:    from all fwmark 0x1 lookup 100
32765:    from all fwmark 0x1 lookup 100
32766:    from all lookup main
32767:    from all lookup default


4.  the output of 'ip route show'


$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213


5.  the output of 'ip route show table 100'

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213

6. the output of 'iptables-save'



$ sudo iptables-save
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*mangle
:PREROUTING ACCEPT [72898710:6084386298]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 80 -j TPROXY --on-port 
15644 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 443 -j TPROXY --on-port 
15645 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1

-A INPUT -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -j ACCEPT
-A POSTROUTING -j ACCEPT
-A DIVERT -j MARK --set-xmark 0x1/0x
-A DIVERT -j ACCEPT
COMMIT
# Completed on Wed Jul  7 12:25:05 2021
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*nat
:PREROUTING ACCEPT [26338415:1392747531]
:INPUT ACCEPT [820462:44161193]
:OUTPUT ACCEPT [1053:92773]
:POSTROUTING ACCEPT [25514534:1348449899]
-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -i eth1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
COMMIT
# Completed on Wed Jul  7 12:25:05 2021
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*filter
:INPUT ACCEPT [5045387:2170630036]
:FORWARD ACCEPT [72544426:6194710400]
:OUTPUT ACCEPT [2471930:252759773]
COMMIT
# Completed on Wed Jul  7 12:25:05 20


7. the output of 'nft -nn list ruleset' (if exists on the OS)

Doesn't exists.

8. the output of your squid.conf

$ cat squid.conf
#
# Recommended minimum configuration:
#

# Example rule allowing access from you

Re: [squid-users] TPROXY Error

2021-07-07 Thread Eliezer Croitoru

Hey Ben,

I want to try and reset this issue because I am missing some technical
details.

1. What Linux Distro and what version are you using?
2. the output of 'ip address'
3. the output of 'ip rule'
4.  the output of 'ip route show'
5.  the output of 'ip route show table 100'
6. the output of 'iptables-save'
7. the output of 'nft -nn list ruleset' (if exists on the OS)
8. the output of your squid.conf
9. the output of 'squid -v'
10. the output of 'uname -a'

Once we will have all the above details (reducing/modifying any private
details) we can try to maybe help you.

Eliezer

-Original Message-
From: squid-users  On Behalf Of
Ben Goz
Sent: Wednesday, June 30, 2021 3:16 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] TPROXY Error

 By the help of God.

Hi All,
I'm trying to configure squid as a transparent proxy using TPROXY.
The machine I'm using has 2 NICs, one for input and the other one for
output traffic.
The TPROXY iptables rules are configured on the input NIC.
It looks like iptables TPROXY redirect works but squid prints out the
following error:

ERROR: NAT/TPROXY lookup failed to locate original IPs on
local=xxx:443 remote=xxx:49471 FD 14 flags=17

I think I loaded all TPROXY required kernel modules.

The ip forwarding works fine without the iptables rules. and I don't
see any squid ERROR on getsockopt

Please let me know what I'm missing?

Thanks,
Ben
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

2021-07-06 Thread Amos Jeffries


On 5/07/21 11:31 pm, Ben Goz wrote:

By the help of God.

Someone have an idea what's wrong with my configuration?



The config you have shown does not contain any visible issues.

The feature page has information minimum kernel and library requirements 
for TPROXY to work reasonably well. There are also sections on other 
things to check for in regards to routing table behaviours in various 
kernels, and system security policies (eg SELinux, Apport, systemd)

  

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

2021-07-05 Thread Ben Goz


By the help of God.

Someone have an idea what's wrong with my configuration?

On 30/06/2021 15:55, Ben Goz wrote:


On 30/06/2021 15:25, Antony Stone wrote:

On Wednesday 30 June 2021 at 14:16:09, Ben Goz wrote:


I'm trying to configure squid as a transparent proxy using TPROXY.
The machine I'm using has 2 NICs, one for input and the other one for
output traffic.
The TPROXY iptables rules are configured on the input NIC.

1. Which version of Squid are you using?

# ./squid -v
Squid Cache: Version 4.15
Service Name: squid

This binary uses OpenSSL 1.1.1f  31 Mar 2020. For legal restrictions 
on distribution see https://www.openssl.org/source/license.html


configure options:  '--with-openssl' '--enable-ssl-crtd' 
'--enable-ecap' '--enable-linux-netfilter' --enable-ltdl-convenience




2. Please show us the TPROXY rules you have.



iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 80 -j 
TPROXY --tproxy-mark 0x1/0x1 --on-port 15644
iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 443 -j 
TPROXY --tproxy-mark 0x1/0x1 --on-port 15645



including:

ip rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100



3. Please show us the relevant lines for intercept proxying from your
squid.conf



http_port 15644 tproxy
https_port 15645 ssl-bump tproxy generate-host-certificates=on 
options=ALL dynamic_cert_mem_cache_size=4MB 
cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
dhparams=/usr/local/squid/etc/dhparam.pem

always_direct allow all






Regards,


Antony.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

2021-06-30 Thread Ben Goz



On 30/06/2021 15:25, Antony Stone wrote:

On Wednesday 30 June 2021 at 14:16:09, Ben Goz wrote:


I'm trying to configure squid as a transparent proxy using TPROXY.
The machine I'm using has 2 NICs, one for input and the other one for
output traffic.
The TPROXY iptables rules are configured on the input NIC.

1. Which version of Squid are you using?

# ./squid -v
Squid Cache: Version 4.15
Service Name: squid

This binary uses OpenSSL 1.1.1f  31 Mar 2020. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html


configure options:  '--with-openssl' '--enable-ssl-crtd' '--enable-ecap' 
'--enable-linux-netfilter' --enable-ltdl-convenience




2. Please show us the TPROXY rules you have.



iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 80 -j 
TPROXY --tproxy-mark 0x1/0x1 --on-port 15644
iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 443 -j 
TPROXY --tproxy-mark 0x1/0x1 --on-port 15645



including:

ip rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100



3. Please show us the relevant lines for intercept proxying from your
squid.conf



http_port 15644 tproxy
https_port 15645 ssl-bump tproxy generate-host-certificates=on 
options=ALL dynamic_cert_mem_cache_size=4MB 
cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
dhparams=/usr/local/squid/etc/dhparam.pem

always_direct allow all






Regards,


Antony.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

2021-06-30 Thread Antony Stone

On Wednesday 30 June 2021 at 14:16:09, Ben Goz wrote:

> I'm trying to configure squid as a transparent proxy using TPROXY.
> The machine I'm using has 2 NICs, one for input and the other one for
> output traffic.
> The TPROXY iptables rules are configured on the input NIC.

1. Which version of Squid are you using?

2. Please show us the TPROXY rules you have.

3. Please show us the relevant lines for intercept proxying from your 
squid.conf

Regards,

Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

Re: [squid-users] TPROXY Error

Re: [squid-users] TPROXY Error

Re: [squid-users] TPROXY Error

Re: [squid-users] TPROXY Error

Re: [squid-users] TPROXY Error

Re: [squid-users] TPROXY Error

Re: [squid-users] TPROXY Error

Re: [squid-users] TPROXY Error

9 matches

Site Navigation

Mail list logo

Footer information