Re: [squid-users] TPROXY Routing

2010-04-02 Thread Kurt Sandstrom 
I'll check that as well... have to grab some IPs and add to the interfaces.

2010/4/2 Henrik Nordström :
> fre 2010-04-02 klockan 11:54 -0700 skrev Kurt Sandstrom:
>> Thats the thing... if I enable the ebtables rules the bridging of http
>> on the local network stops but squid shows no activity even though the
>> tproxy counters increase.
>
> And if you configure a client to use the TPROXY as a router while having
> the ebtables ruels disabled? (routing test)
>
> Regards
> Henrik
>
>

Re: [squid-users] TPROXY Routing

2010-04-02 Thread Kurt Sandstrom 
Thats the thing... if I enable the ebtables rules the bridging of http
on the local network stops but squid shows no activity even though the
tproxy counters increase. If I wget to 0.0.0.0 my squid shows wget
connection but returns a gateway error so I know the squid is replying
to requests it receives. I'm thinking perhaps the traffic might be
being directed to the bridge route instead of lo which would cause it
to die.

2010/4/2 Henrik Nordström :
> fre 2010-04-02 klockan 09:47 -0700 skrev Kurt Sandstrom:
>
>> 2 things I may try this evening... grab tcp traffic from eth0 and br0
>> to see if redirected port 3129 is being routed out of the system
>> instead of to the localhost. Then try (a shot in the dark) changing:
>
> Which MAC address is being used on the packets sent out?
>
> Have a feeling the packets never gets diverted off the bridge.. if so
> then the MAC is unchanged when the packet is sent out.
>
> If the packet did get diverted from the bridge to routing then the
> source MAC of the packets when leaving the server will be that of br0.
>
> other sign to look for is if the IP ttl gets decremented. If the packet
> is being bridged then ttl stays the same, if it's being routed then ttl
> is decremented by one.
>
> Regards
> Henrik
>
>

Re: [squid-users] TPROXY Routing

2010-04-02 Thread Kurt Sandstrom 
You are correct in that it's a routing issue...

I have network -> eth1(no ip bridged)->eth0(no ip bridged)-> gateway(router)
the eth1 and eth0 interfaces have a br0 assigned.

when I assign the bridge interface I use the following for routing:

ifconfig br0 xxx.xxx.xxx.xxx netmask 255.255.0.0 up #routable IP
route add default gw xxx.xxx.xxx.xxx dev br0#gateway

Then I use:

ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
 cd /proc/sys/net/bridge/
 for i in *
 do
   echo 0 > $i
 done
 unset i

and I think this is where the problem resides but may be wrong:

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

My iptables are being traversed and I can see the counters increasing
in the PREROUTING chain TPROXY target

2 things I may try this evening... grab tcp traffic from eth0 and br0
to see if redirected port 3129 is being routed out of the system
instead of to the localhost. Then try (a shot in the dark) changing:

ip route add local 0.0.0.0/0 dev lo table 100 to ip route add local
0.0.0.0/0 dev br0 table 100

If you have any other ideas then please let me know... I know I'm
close and the help received here has really helped

Kurt











I did a couple tests on the system last night. If wget
0.0.0.0:3129(tproxy port) then I see traffic in the squid access.log.
I recieve a gateway not found error

2010/4/2 johan firdianto :
> Have you setup ebtables to drop packet,
> ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
> --ip-dport 80 -j redirect --redirect-target DROP
>  ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
> --ip-sport 80 -j redirect --redirect-target DROP
>
> second hint,
> route all your network/netmask ip address to dev bridge,
> example:
> ip route add 192.168.100.0/24 dev br0
> ip route add 10.0.0.0/8 dev br0
> BUT, if you have router again below your bridge, you should define
> routing in your bridge.
> Because your box actually act as bridge and router. Act as router
> because you intercepted trafic to squid. So, when kernel will forward
> the traffic to network, they must know which interface to forward.
>
>
>
> 2010/4/2 Henrik Nordström :
>> tor 2010-04-01 klockan 13:43 -0700 skrev Kurt Sandstrom:
>>> The bridging is working just not redirecting to the squid. I can see
>>> the counters increment for port 80 but nothing on the squid side.
>>
>> TPROXY has some quite peculiar requirements, and the combination with
>> bridgeing makes those even more complex. And is why I ask that you first
>> verify your TPROXY setup in routing mode before trying the same in
>> bridge mode. It's simply about isolating why things do not work for you
>> instead of trying to guess if it's the bridge-iptables integration,
>> ebtables, iptables TPROXY rules, routing, or whatever..
>>
>> Regards
>> Henrik
>>
>>
>

Re: [squid-users] TPROXY Routing

2010-04-01 Thread Kurt Sandstrom 
The bridging is working just not redirecting to the squid. I can see
the counters increment for port 80 but nothing on the squid side.


2010/4/1 Henrik Nordström :
> tor 2010-04-01 klockan 11:10 -0700 skrev Kurt Sandstrom:
>> It is set up with 2 nics as a bridge. The routing I was refering to is
>> only internal to the box.. ie through iptables
>
> bridge... haven't tried TPROXY in bridge mode, only router mode.
>
> Due to the complexity involved I would recomment you first try TPROXY in
> router mode, then move on to extend it to bridge mode. And remember that
> you need to divert the return traffic as well in the bridge or it won't
> work.
>
> Regards
> Henrik
>
>

Re: [squid-users] TPROXY Routing

2010-04-01 Thread Kurt Sandstrom 
It is set up with 2 nics as a bridge. The routing I was refering to is
only internal to the box.. ie through iptables

On Thu, Apr 1, 2010 at 5:09 AM, johan firdianto  wrote:
> Make sure you have setup triangle routing correctly.
> your squid act as bridge ? or act as router/gateway with dual
> interface ethernet ?
> or standalone server with single ethernet.
> option 1 and 2, doesn't need routing setup, traffic incoming and
> outgoing must hit the squid box.
> But for option 3, you should setup your router to make sure outgoing
> traffic to port 80 should hit the squid first, and forward to
> internet, and the reply traffic from internet should come back to
> squid box before forwarded to client.
>
> 2010/4/1 Kurt Sandstrom :
>> I have the following in startup
>>
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>> The ouput of  ip route show table 100: local default dev lo  scope host
>>
>> One other thing is strange, my PREROUTING rules in mangle don't load
>> in my script. I have to manually add them. Timing issue perhaps?
>>
>> Startup script loded from rc.local:
>>
>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>> --tproxy-mark 0x1/0x1 --on-port 3129
>> ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
>> --ip-dport 80 -j redirect --redirect-target DROP
>> ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp
>> --ip-sport 80 -j redirect --redirect-target DROP
>>  cd /proc/sys/net/bridge/
>>  for i in *
>>  do
>>   echo 0 > $i
>>  done
>>  unset i
>>
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>>
>> 2010/3/31 Henrik Nordström :
>>> ons 2010-03-31 klockan 09:47 -0700 skrev Kurt Sandstrom:
>>>> I have been unable to get TPROXY working correctly with squid. I have
>>>> used the steps in  http://wiki.squid-cache.org/Features/Tproxy4 and re
>>>> checked everything.
>>>>
>>>
>>> I did not see your routing setup in the data you dumped. Without the
>>> routing configured then TPROXY won't intercept, just route like normal..
>>>
>>> http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration
>>>
>>> Regards
>>> Henrik
>>>
>>>
>>
>

Re: [squid-users] TPROXY Routing

2010-03-31 Thread Kurt Sandstrom 
I have the following in startup

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

The ouput of  ip route show table 100: local default dev lo  scope host

One other thing is strange, my PREROUTING rules in mangle don't load
in my script. I have to manually add them. Timing issue perhaps?

Startup script loded from rc.local:

echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP
 cd /proc/sys/net/bridge/
 for i in *
 do
   echo 0 > $i
 done
 unset i

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100


2010/3/31 Henrik Nordström :
> ons 2010-03-31 klockan 09:47 -0700 skrev Kurt Sandstrom:
>> I have been unable to get TPROXY working correctly with squid. I have
>> used the steps in  http://wiki.squid-cache.org/Features/Tproxy4 and re
>> checked everything.
>>
>
> I did not see your routing setup in the data you dumped. Without the
> routing configured then TPROXY won't intercept, just route like normal..
>
> http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration
>
> Regards
> Henrik
>
>

[squid-users] TPROXY Routing

2010-03-31 Thread Kurt Sandstrom 
I have been unable to get TPROXY working correctly with squid. I have
used the steps in  http://wiki.squid-cache.org/Features/Tproxy4 and re
checked everything.

Versions:

Kernel 2.6.28-11-server (ubuntu)

Squid Cache: Version 3.1.1
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=/include' '--mandir=/share/man' '--infodir=/share/info'
'--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
'--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores'
'--enable-follow-x-forwarded-for' '--enable-auth=basic'
'--enable-external-acl-helpers=ip_user' '--with-filedescriptors=65536'
'--with-default-user=proxy' '--enable-epoll'
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu'
--with-squid=/home/mike/squid-3.1.1 --enable-ltdl-convenience

iptables v1.4.3

I can see http traffic incrementing through my DIVERT and PREROUTING tables

Chain PREROUTING (policy ACCEPT 166K packets, 41M bytes)
 pkts bytes target prot opt in out source
destination
 2963  202K DIVERT tcp  --  anyany anywhere
anywheresocket
 1684 85244 TPROXY tcp  --  anyany anywhere
anywheretcp dpt:www TPROXY redirect 0.0.0.0:3129 mark
0x1/0x1

Chain INPUT (policy ACCEPT 22640 packets, 1278K bytes)
 pkts bytes target prot opt in out source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 23918 packets, 3770K bytes)
 pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 23918 packets, 3770K bytes)
 pkts bytes target prot opt in out source
destination

Chain DIVERT (1 references)
 pkts bytes target prot opt in out source
destination
 2963  202K MARK   all  --  anyany anywhere
anywhereMARK xset 0x1/0x
 2963  202K ACCEPT all  --  anyany anywhere anywhere

When I use -v -v there all the counters for errors are at 0

Squidclient shows:

Connection information for squid:
Number of clients accessing cache:  2
Number of HTTP requests received:   7 (from squidclient access)

And my store isn't growing at all.

It seems squid is not getting the traffic from my iptables...   any ideas??

[squid-users] Re: ACL All Error

2010-03-31 Thread Kurt Sandstrom 
UPDATE!

It seems to only happen when the --disable-ipv6 option is used during
compile, perhaps the default acl handler for IPV4 needs a bit of
love... doesn't seem the same as the one included as default.




On Wed, Mar 31, 2010 at 1:00 AM, Kurt Sandstrom  wrote:
> Ok I have an issue here...  Compiled Squid
> Squid Cache: Version 3.1.1
> configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info'
> '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
> '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs'
> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
> '--enable-cache-digests' '--enable-underscores'
> '--enable-follow-x-forwarded-for' '--enable-auth=basic'
> '--enable-external-acl-helpers=ip_user' '--with-filedescriptors=65536'
> '--with-default-user=proxy' '--enable-epoll'
> '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu'
> --with-squid=/home/myuser/squid-3.1.1 --enable-ltdl-convenience
>
> and keep getting an error:
>
> squid -X
>
> FATAL: Bungled Default Configuration line 8: miss_access allow all
>
> Using the default squid.conf:
>
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> # Have Added and removed with the same issue
> # acl all src 0.0.0.0/0.0.0.0
> # acl all src 0.0.0.0/0
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> coredump_dir /var/cache
> refresh_pattern ^ftp:   1440    20% 10080
> refresh_pattern ^gopher:    1440    0%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
>
>
> Details of error:
>
> 2010/03/31 00:51:02.160| ACL::Prototype::Registered: invoked for type src
> 2010/03/31 00:51:02.160| ACL::Prototype::Registered:    yes
> 2010/03/31 00:51:02.160| ACL::FindByName 'all'
> 2010/03/31 00:51:02.160| ACL::FindByName found no match
> 2010/03/31 00:51:02.160| aclParseAclLine: Creating ACL 'all'
> 2010/03/31 00:51:02.160| ACL::Prototype::Factory: cloning an object
> for type 'src'
> 2010/03/31 00:51:02.160| aclIpParseIpData: all
> 2010/03/31 00:51:02.160| aclIpParseIpData: magic 'all' found.
> 2010/03/31 00:51:02.160| aclParseAclList: looking for ACL name 'all'
> 2010/03/31 00:51:02.160| ACL::FindByName 'all'
> 2010/03/31 00:51:02.160| ACL::FindByName found no match
> 2010/03/31 00:51:02.160| aclParseAclList: ACL name 'all' not found.
> 2010/03/31 00:51:02.160| leave_suid: PID 27212 called
> FATAL: Bungled Default Configuration line 8: miss_access allow all
>
> I have tried squid -X -f /etc/squid3/squid.conf to verify that I'm
> using the right config
>
>
> Any Ideas?
>

[squid-users] ACL All Error

2010-03-31 Thread Kurt Sandstrom 
Ok I have an issue here...  Compiled Squid
Squid Cache: Version 3.1.1
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=/include' '--mandir=/share/man' '--infodir=/share/info'
'--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
'--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores'
'--enable-follow-x-forwarded-for' '--enable-auth=basic'
'--enable-external-acl-helpers=ip_user' '--with-filedescriptors=65536'
'--with-default-user=proxy' '--enable-epoll'
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu'
--with-squid=/home/myuser/squid-3.1.1 --enable-ltdl-convenience

and keep getting an error:

squid -X

FATAL: Bungled Default Configuration line 8: miss_access allow all

Using the default squid.conf:


acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
# Have Added and removed with the same issue
# acl all src 0.0.0.0/0.0.0.0
# acl all src 0.0.0.0/0
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/cache
refresh_pattern ^ftp:   1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320


Details of error:

2010/03/31 00:51:02.160| ACL::Prototype::Registered: invoked for type src
2010/03/31 00:51:02.160| ACL::Prototype::Registered:    yes
2010/03/31 00:51:02.160| ACL::FindByName 'all'
2010/03/31 00:51:02.160| ACL::FindByName found no match
2010/03/31 00:51:02.160| aclParseAclLine: Creating ACL 'all'
2010/03/31 00:51:02.160| ACL::Prototype::Factory: cloning an object
for type 'src'
2010/03/31 00:51:02.160| aclIpParseIpData: all
2010/03/31 00:51:02.160| aclIpParseIpData: magic 'all' found.
2010/03/31 00:51:02.160| aclParseAclList: looking for ACL name 'all'
2010/03/31 00:51:02.160| ACL::FindByName 'all'
2010/03/31 00:51:02.160| ACL::FindByName found no match
2010/03/31 00:51:02.160| aclParseAclList: ACL name 'all' not found.
2010/03/31 00:51:02.160| leave_suid: PID 27212 called
FATAL: Bungled Default Configuration line 8: miss_access allow all

I have tried squid -X -f /etc/squid3/squid.conf to verify that I'm
using the right config


Any Ideas?