Re: [squid-users] Implement Tproxy on Debian squeeze
On 03.03.2012 14:19, David Touzeau wrote: Your are right Amos. If need iptables 1.4.10 and kernel 2.6.37 and Debian backports provide iptables 1.4.8 and kernel 3.0 It is not possible with debian squeeze to use correctly TProxy mode. I think this should be the reason that in my previous post, i had many issues implementing TProxy mode. I think needs to wait Wheezy or better version in backports I have just found an omission from the TPROXY feature page which may explain the problems on Ubuntu and some Debians. It turns out the fwmark rules need to be entered explicitly and separately for IPv4 and IPv6, just like the route entries. The wiki was saying: ip rule add fwmark 1 lookup 100 ip -f inet route add local default dev eth0 table 100 ip -f inet6 route add local default dev eth0 table 100 But what is actually needed is this: ip -f inet rule add fwmark 1 lookup 100 ip -f inet route add local default dev eth0 table 100 ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local default dev eth0 table 100 If you follow the "ip rule add fwmark" version it will catch IPv4 traffic perfectly fine. While IPv6 will be counted as marked by TPROXY yet never arrive at Squid, instead they will pass through to the destination as if TPROXY was not even there. Hope this helps. Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
On 06.03.2012 12:54, E.S. Rosenberg wrote: 2012/3/6 Amos Jeffries : On 06.03.2012 11:42, E.S. Rosenberg wrote: 2012/3/2 Yucong Sun (叶雨飞): I think what happens is the document seems to be wrong, the kernel already has TPROXY compiled in , look for /boot/config- and search for TPROXY, it should says "m". for the iptables rules, you will need to use mangle table, there's no tproxy table anymore. There was never a TPROXY table. It has always been the mangle table, with TPROXY *target*. However, I do want to add an additional question , suppose my proxy machine will be acting as network gateway to my LAN, can I simply archive the same effect by simply -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT 127.0.0.1: ??? why was tproxy needed in the first place? As far as I understood it you would use tproxy if you want to expose your "internal" IPs to the other side, so if for instance my internal network is actually a publicly routable block and I don't want to NAT that then you use tproxy, whereas the effect of the rule you write above is basically NAT in that the original source will be invisible to the destination. But I may not have understood things right... Sort-of. "Exposure" is only limited to the in and out ports of Squid. TPROXY can work alongside proper address-only NAT to gain the address obfuscation if you want it. Or with any kind of firewalls for actual security. You would also use TPROXY if you needed to do traffic interception for protocols other than IPv4. For OS where transparent proxy works there is no more technical reasons to use NAT. OpenBSD 5.x for example seem to have jumped the whole upgrade process and no longer support NAT interception at all, using "divert" sockets which is their version of TPROXY, across the main set of system tools. That is assuming the TPROXY machine sits on the line of the machines going out, if it's just a firewall that is redirecting all port 80 traffic to the proxy on a different subnet you would still use it I would think? If by "line" you mean the packet flow at a virtual level, yes. TPROXY is similar to a virtual bridge. Interception in any form assumes the packets are reaching the machine somehow. Actually bridging the packets across a box with TPROXY on it is the easy way to configure it. Policy routing is the slightly harder way. Only difference in these installations between the TPROXY of the NAT is what properties routing logics need to make decisions on. Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
2012/3/6 Amos Jeffries : > On 06.03.2012 11:42, E.S. Rosenberg wrote: >> >> 2012/3/2 Yucong Sun (叶雨飞): >> >>> I think what happens is the document seems to be wrong, the kernel >>> already has TPROXY compiled in , look for /boot/config- and >>> search for TPROXY, it should says "m". >>> >>> for the iptables rules, you will need to use mangle table, there's no >>> tproxy table anymore. > > > There was never a TPROXY table. It has always been the mangle table, with > TPROXY *target*. > > >>> >>> >>> However, I do want to add an additional question , suppose my proxy >>> machine will be acting as network gateway to my LAN, can I simply >>> archive the same effect by simply >>> -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT >>> 127.0.0.1: ??? why was tproxy needed in the first place? > > >> As far as I understood it you would use tproxy if you want to expose >> your "internal" IPs to the other side, so if for instance my internal >> network is actually a publicly routable block and I don't want to NAT >> that then you use tproxy, whereas the effect of the rule you write >> above is basically NAT in that the original source will be invisible >> to the destination. >> >> But I may not have understood things right... > > > > Sort-of. "Exposure" is only limited to the in and out ports of Squid. > TPROXY can work alongside proper address-only NAT to gain the address > obfuscation if you want it. Or with any kind of firewalls for actual > security. > > You would also use TPROXY if you needed to do traffic interception for > protocols other than IPv4. > > > For OS where transparent proxy works there is no more technical reasons to > use NAT. OpenBSD 5.x for example seem to have jumped the whole upgrade > process and no longer support NAT interception at all, using "divert" > sockets which is their version of TPROXY, across the main set of system > tools. That is assuming the TPROXY machine sits on the line of the machines going out, if it's just a firewall that is redirecting all port 80 traffic to the proxy on a different subnet you would still use it I would think? Thanks, Eli > > Amos >
Re: [squid-users] Implement Tproxy on Debian squeeze
On 06.03.2012 11:42, E.S. Rosenberg wrote: 2012/3/2 Yucong Sun (叶雨飞): I think what happens is the document seems to be wrong, the kernel already has TPROXY compiled in , look for /boot/config- and search for TPROXY, it should says "m". for the iptables rules, you will need to use mangle table, there's no tproxy table anymore. There was never a TPROXY table. It has always been the mangle table, with TPROXY *target*. However, I do want to add an additional question , suppose my proxy machine will be acting as network gateway to my LAN, can I simply archive the same effect by simply -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT 127.0.0.1: ??? why was tproxy needed in the first place? As far as I understood it you would use tproxy if you want to expose your "internal" IPs to the other side, so if for instance my internal network is actually a publicly routable block and I don't want to NAT that then you use tproxy, whereas the effect of the rule you write above is basically NAT in that the original source will be invisible to the destination. But I may not have understood things right... Sort-of. "Exposure" is only limited to the in and out ports of Squid. TPROXY can work alongside proper address-only NAT to gain the address obfuscation if you want it. Or with any kind of firewalls for actual security. You would also use TPROXY if you needed to do traffic interception for protocols other than IPv4. For OS where transparent proxy works there is no more technical reasons to use NAT. OpenBSD 5.x for example seem to have jumped the whole upgrade process and no longer support NAT interception at all, using "divert" sockets which is their version of TPROXY, across the main set of system tools. Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
2012/3/2 Yucong Sun (叶雨飞) : > I think what happens is the document seems to be wrong, the kernel > already has TPROXY compiled in , look for /boot/config- and > search for TPROXY, it should says "m". > > for the iptables rules, you will need to use mangle table, there's no > tproxy table anymore. > > as such > > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port > \ > --tproxy-mark 0x1/0x1 > > > on my machine ubuntu 10.04 LTS, Linux fullcenter 2.6.32-37-server > #81-Ubuntu SMP Fri Dec 2 20:49:12 UTC 2011 x86_64 GNU/Linux > I have TPROXY 4.1.0 included, not sure about debian. > > [5282830.948528] NF_TPROXY: Transparent proxy support initialized, version > 4.1.0 > [5282830.948533] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. > > > However, I do want to add an additional question , suppose my proxy > machine will be acting as network gateway to my LAN, can I simply > archive the same effect by simply > -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT > 127.0.0.1: ??? why was tproxy needed in the first place? As far as I understood it you would use tproxy if you want to expose your "internal" IPs to the other side, so if for instance my internal network is actually a publicly routable block and I don't want to NAT that then you use tproxy, whereas the effect of the rule you write above is basically NAT in that the original source will be invisible to the destination. But I may not have understood things right... Regards, Eli > > Thanks. > > On Fri, Mar 2, 2012 at 9:33 AM, David Touzeau wrote: >> >> There is bad news, backports did not change something according Tproxy >> Only kernel 3.2x is available on backports repository. >> >> apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae >> apt-get install -t squeeze-backports upgrade >> reboot >> my kernel is now >> Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11 >> 14:57:20 UTC 2012 i686 GNU/Linux >> >> >> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY >> --on-port 80 >> WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be >> ignored in a future release. >> iptables v1.4.8: can't initialize iptables table `tproxy': Table does not >> exist (do you need to insmod?) >> Perhaps iptables or your kernel needs to be upgraded >> >> grep -i iptables /boot/config-`uname -r` >> CONFIG_IP_NF_IPTABLES=m >> CONFIG_IP6_NF_IPTABLES=m >> # iptables trigger is under Netfilter config (LED target) >> >> SNIF, SNIF >> >> >> Le 02/03/2012 17:03, David Touzeau a écrit : >> >>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j >>> TPROXY --on-port 80
Re: [squid-users] Implement Tproxy on Debian squeeze
Your are right Amos. If need iptables 1.4.10 and kernel 2.6.37 and Debian backports provide iptables 1.4.8 and kernel 3.0 It is not possible with debian squeeze to use correctly TProxy mode. I think this should be the reason that in my previous post, i had many issues implementing TProxy mode. I think needs to wait Wheezy or better version in backports Le 03/03/2012 01:43, Amos Jeffries a écrit : I must be going senile Your original message had: iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded But... http://wiki.squid-cache.org/Features/Tproxy4#Minimum_Requirements_.28IPv6_and_IPv4.29 ---> iptables 1.4.*10* Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
I must be going senile Your original message had: iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded But... http://wiki.squid-cache.org/Features/Tproxy4#Minimum_Requirements_.28IPv6_and_IPv4.29 ---> iptables 1.4.*10* Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
Yucong and Eliezer ... Your are definitively right I fact the tproxy using your method exists on debian squeeze kernel. That's good but now i have issue using the tproxy mode. I have set the network in kernel sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv4.conf.default.send_redirects=0 sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.eth0.send_redirects=0 echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects i have set routing rules mentioned on the wiki pages routes added # ip rule add fwmark 1 lookup 100 # ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 # ip route list table 100 local default dev eth0 scope host #ip rule 0: from all lookup local 32762: from all fwmark 0x1 lookup 100 32763: from all fwmark 0x1 lookup 100 32764: from all fwmark 0x1 lookup 100 32765: from all fwmark 0x1 lookup 100 enabled squid with http_port 3128 tproxy http_port 3129 But now i'm unable to go trough internet. When force browser to pass trough the 3129 port i can browse. But failed with timed out when define the browser to go directly to Internet. I think there is an issue with iptables On the http://wiki.squid-cache.org/Features/Tproxy4 It is mentioned that if there is timed out, it means that you need to Check that the /DIVERT/ is done before /TPROXY/ rules in iptables *PREROUTING* chain but i have added iptables rules with the "stric order" mentioned and iptables-save display always : -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark 0x1/0x -A DIVERT -j ACCEPT You can see that DIVERT is after TPROXY rules. Perhaps iptables-save command list items sorted rules type...? Is the issue is the order of iptables rules ? So why adding rules in the strict order will add always set DIVERT to the end ? Best regards Le 02/03/2012 20:16, Yucong Sun (叶雨飞) a écrit : I think what happens is the document seems to be wrong, the kernel already has TPROXY compiled in , look for /boot/config- and search for TPROXY, it should says "m". for the iptables rules, you will need to use mangle table, there's no tproxy table anymore. as such iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port \ --tproxy-mark 0x1/0x1 on my machine ubuntu 10.04 LTS, Linux fullcenter 2.6.32-37-server #81-Ubuntu SMP Fri Dec 2 20:49:12 UTC 2011 x86_64 GNU/Linux I have TPROXY 4.1.0 included, not sure about debian. [5282830.948528] NF_TPROXY: Transparent proxy support initialized, version 4.1.0 [5282830.948533] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. However, I do want to add an additional question , suppose my proxy machine will be acting as network gateway to my LAN, can I simply archive the same effect by simply -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT 127.0.0.1: ??? why was tproxy needed in the first place? Thanks. On Fri, Mar 2, 2012 at 9:33 AM, David Touzeau wrote: There is bad news, backports did not change something according Tproxy Only kernel 3.2x is available on backports repository. apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae apt-get install -t squeeze-backports upgrade reboot my kernel is now Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11 14:57:20 UTC 2012 i686 GNU/Linux iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be ignored in a future release. iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded grep -i iptables /boot/config-`uname -r` CONFIG_IP_NF_IPTABLES=m CONFIG_IP6_NF_IPTABLES=m # iptables trigger is under Netfilter config (LED target) SNIF, SNIF Le 02/03/2012 17:03, David Touzeau a écrit : iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80
Re: [squid-users] Implement Tproxy on Debian squeeze
it's a linux module and you should first check if it exists or loaded. use: lsmod |grep -i tproxy to see if it's loaded to check if the kernel has a built module you should run: modprobe -l |egrep -i "tproxy|socket" you should have 2 modules for tproxy and also some iptable socket moduels. if you didnt did any of the above before running the iptables command these should give you the answer if you have tproxy support as a kernel module. Regrads, Eliezer On 02/03/2012 19:33, David Touzeau wrote: There is bad news, backports did not change something according Tproxy Only kernel 3.2x is available on backports repository. apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae apt-get install -t squeeze-backports upgrade reboot my kernel is now Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11 14:57:20 UTC 2012 i686 GNU/Linux iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be ignored in a future release. iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded grep -i iptables /boot/config-`uname -r` CONFIG_IP_NF_IPTABLES=m CONFIG_IP6_NF_IPTABLES=m # iptables trigger is under Netfilter config (LED target) SNIF, SNIF Le 02/03/2012 17:03, David Touzeau a écrit : iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80
Re: [squid-users] Implement Tproxy on Debian squeeze
I think what happens is the document seems to be wrong, the kernel already has TPROXY compiled in , look for /boot/config- and search for TPROXY, it should says "m". for the iptables rules, you will need to use mangle table, there's no tproxy table anymore. as such iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port \ --tproxy-mark 0x1/0x1 on my machine ubuntu 10.04 LTS, Linux fullcenter 2.6.32-37-server #81-Ubuntu SMP Fri Dec 2 20:49:12 UTC 2011 x86_64 GNU/Linux I have TPROXY 4.1.0 included, not sure about debian. [5282830.948528] NF_TPROXY: Transparent proxy support initialized, version 4.1.0 [5282830.948533] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. However, I do want to add an additional question , suppose my proxy machine will be acting as network gateway to my LAN, can I simply archive the same effect by simply -iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT 127.0.0.1: ??? why was tproxy needed in the first place? Thanks. On Fri, Mar 2, 2012 at 9:33 AM, David Touzeau wrote: > > There is bad news, backports did not change something according Tproxy > Only kernel 3.2x is available on backports repository. > > apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae > apt-get install -t squeeze-backports upgrade > reboot > my kernel is now > Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11 > 14:57:20 UTC 2012 i686 GNU/Linux > > > iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY > --on-port 80 > WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be > ignored in a future release. > iptables v1.4.8: can't initialize iptables table `tproxy': Table does not > exist (do you need to insmod?) > Perhaps iptables or your kernel needs to be upgraded > > grep -i iptables /boot/config-`uname -r` > CONFIG_IP_NF_IPTABLES=m > CONFIG_IP6_NF_IPTABLES=m > # iptables trigger is under Netfilter config (LED target) > > SNIF, SNIF > > > Le 02/03/2012 17:03, David Touzeau a écrit : > >> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j >> TPROXY --on-port 80
Re: [squid-users] Implement Tproxy on Debian squeeze
There is bad news, backports did not change something according Tproxy Only kernel 3.2x is available on backports repository. apt-get install -t squeeze-backports linux-image-3.2.0-0.bpo.1-686-pae apt-get install -t squeeze-backports upgrade reboot my kernel is now Linux squid32.localhost.localdomain 3.2.0-0.bpo.1-686-pae #1 SMP Sat Feb 11 14:57:20 UTC 2012 i686 GNU/Linux iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be ignored in a future release. iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded grep -i iptables /boot/config-`uname -r` CONFIG_IP_NF_IPTABLES=m CONFIG_IP6_NF_IPTABLES=m # iptables trigger is under Netfilter config (LED target) SNIF, SNIF Le 02/03/2012 17:03, David Touzeau a écrit : iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80
Re: [squid-users] Implement Tproxy on Debian squeeze
OK thanks Amos I will try it and send to the list my results... Le 02/03/2012 16:55, Amos Jeffries a écrit : On 3/03/2012 4:37 a.m., David Touzeau wrote: Thanks Amos So to be clear for me I need to enable backports in my sources.list and upgrade the kernel version to 2.6.37 or above in order to make TPROXY already compiled in the kernel ? Probably. I dont know exactly what kernel is in backports. All I know is that three of the five testers reporting issues in Ubuntu LTS migrated to Debian and reported back immediately saying it was working fine. I assumed that meant they were running default Squeeze, but since you got the TPROXY disabeled message I'm not sure about anything anymore. Amos Le 02/03/2012 16:01, Amos Jeffries a écrit : On 2/03/2012 11:03 p.m., David Touzeau wrote: Thanks Amos This is my debian kernel version Linux squid32.localhost.localdomain 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686 GNU/Linux iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be ignored in a future release. iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. TProxy feature is not compiled.. Darn. I thought they were at .37. It looks like there may be a backport. Otherwise it would be Wheezy that you need then I'm afraid. 2.6.32 is not really even worth re-building, what you get is a slightly buggy TPROXY. On the good side Wheezy works very well. I've been running with those repositories on production servers quite happily. Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
On 3/03/2012 4:37 a.m., David Touzeau wrote: Thanks Amos So to be clear for me I need to enable backports in my sources.list and upgrade the kernel version to 2.6.37 or above in order to make TPROXY already compiled in the kernel ? Probably. I dont know exactly what kernel is in backports. All I know is that three of the five testers reporting issues in Ubuntu LTS migrated to Debian and reported back immediately saying it was working fine. I assumed that meant they were running default Squeeze, but since you got the TPROXY disabeled message I'm not sure about anything anymore. Amos Le 02/03/2012 16:01, Amos Jeffries a écrit : On 2/03/2012 11:03 p.m., David Touzeau wrote: Thanks Amos This is my debian kernel version Linux squid32.localhost.localdomain 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686 GNU/Linux iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be ignored in a future release. iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. TProxy feature is not compiled.. Darn. I thought they were at .37. It looks like there may be a backport. Otherwise it would be Wheezy that you need then I'm afraid. 2.6.32 is not really even worth re-building, what you get is a slightly buggy TPROXY. On the good side Wheezy works very well. I've been running with those repositories on production servers quite happily. Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
Thanks Amos So to be clear for me I need to enable backports in my sources.list and upgrade the kernel version to 2.6.37 or above in order to make TPROXY already compiled in the kernel ? Le 02/03/2012 16:01, Amos Jeffries a écrit : On 2/03/2012 11:03 p.m., David Touzeau wrote: Thanks Amos This is my debian kernel version Linux squid32.localhost.localdomain 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686 GNU/Linux iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be ignored in a future release. iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. TProxy feature is not compiled.. Darn. I thought they were at .37. It looks like there may be a backport. Otherwise it would be Wheezy that you need then I'm afraid. 2.6.32 is not really even worth re-building, what you get is a slightly buggy TPROXY. On the good side Wheezy works very well. I've been running with those repositories on production servers quite happily. Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
On 2/03/2012 11:03 p.m., David Touzeau wrote: Thanks Amos This is my debian kernel version Linux squid32.localhost.localdomain 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686 GNU/Linux iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be ignored in a future release. iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. TProxy feature is not compiled.. Darn. I thought they were at .37. It looks like there may be a backport. Otherwise it would be Wheezy that you need then I'm afraid. 2.6.32 is not really even worth re-building, what you get is a slightly buggy TPROXY. On the good side Wheezy works very well. I've been running with those repositories on production servers quite happily. Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
Thanks Amos This is my debian kernel version Linux squid32.localhost.localdomain 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686 GNU/Linux iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80 WARNING: All config files need .conf: /etc/modprobe.d/fuse, it will be ignored in a future release. iptables v1.4.8: can't initialize iptables table `tproxy': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. TProxy feature is not compiled.. Le 02/03/2012 02:58, Amos Jeffries a écrit : On 2/03/2012 2:46 p.m., David Touzeau wrote: Dear I would like to implement TProxy with Debian squeeze for Squid 3.2x Is there a freshed howto somewhere that explain how to correctly build the debian kernel in order to enable Tproxy ? Best regards The Squeeze kernel should work out of the box IIRC. Amos
Re: [squid-users] Implement Tproxy on Debian squeeze
On 2/03/2012 2:46 p.m., David Touzeau wrote: Dear I would like to implement TProxy with Debian squeeze for Squid 3.2x Is there a freshed howto somewhere that explain how to correctly build the debian kernel in order to enable Tproxy ? Best regards The Squeeze kernel should work out of the box IIRC. Amos
[squid-users] Implement Tproxy on Debian squeeze
Dear I would like to implement TProxy with Debian squeeze for Squid 3.2x Is there a freshed howto somewhere that explain how to correctly build the debian kernel in order to enable Tproxy ? Best regards