Re: [squid-users] Squid -2.6 with Tproxy
> Is it possible to write in detail as to how I can compile the tproxy > as a module, and what all patches have to be used. # make menuconfig Networking ---> [*] Network packet filtering (replaces ipchains) ---> IP: Netfilter Configuration ---> ... Transparent proxying tproxy match support TPROXY target Support ... Compile your new kernel: # make clean && make && make modules && make modules_install Load modules(after reboot with new kernel): # modprobe ipt_tproxy && modprobe ipt_TPROXY && modprobe iptable_tproxy > In the previous version of tproxy only 4 patches were available, but > in the new one you specified, there are 13 patches. It's quite simple, apply all ;D (you must take care with the order) > Which is the kernel that should be used; can anything from 2.6.16 to > 2.6.16.27 be used? I'm used 2.6.16, maybe 2.6.16.27 will works fine(or maybe not) I hope it will be useful Sunil ;) Cheers, Angel M. -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
Re: [squid-users] Squid -2.6 with Tproxy
> have you try my last hints ? > I'm using fc4 , then upgrade it to kernel 2.6.15.7 ( did you use fc5 ? then > I could be some problem to downgrade from original 2.6.16 to 2.6.15 ?) & > patch cttproxy-2.6.15-2.0.4.tar.gz I try to pacth iptables-1.3.0 with unsunccessfully results. THE SOLUTION: ;D Sunil I have been solved the problems of tproxy(If i have been able to implement it you will be must able ;) First of all, I have Gentoo GNU/Linux :) The steps to implement tproxy are the followings: - Downolad kernel-2.6.16 from kernel.org and patch it with: http://people.balabit.hu/hidden/tproxy2-2.6.16_20060727.tar.bz2 (this is not-officially released but works fine), compile it as a module. - Download iptables-1.3.5.tar.gz from netfilter.org. to install it: make KERNEL_DIR= make install - Copy your /usr/local/lib/iptables to /lib/iptables - Download squid2.6STABLE2 and: ./configure --enable-linux-tproxy --enable-linux-netfilter && make all && make install - Check squid.conf: http_port 3128 tproxy transparent - Add a rule for iptables: iptables -t tproxy -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip 0.0.0.0 - to check it: Try to use squid in daemonize mode. Debug mode looks like spoofing fail. Use a sniffer like ethereal or others. Regards, Angel Mieres. -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
Re: [squid-users] Squid -2.6 with Tproxy
have you try my last hints ? I'm using fc4 , then upgrade it to kernel 2.6.15.7 ( did you use fc5 ? then I could be some problem to downgrade from original 2.6.16 to 2.6.15 ?) & patch cttproxy-2.6.15-2.0.4.tar.gz iptables-1.3.0.tar.bz2 from netfilter.org (first i was using 1.3.4 & 5 which not working) after patch with balabit iptables, ./configure & make make sure libipt_tproxy.so exist in /lib/iptables. If it is not there, than you have to 'gcc' manually from iptables source you extracted, check inside folder at /extentions/ regards, Tino - Original Message - From: "Angel Mieres" <[EMAIL PROTECTED]> To: "Sunil K.P." <[EMAIL PROTECTED]> Cc: Sent: Friday, August 18, 2006 7:08 PM Subject: Re: [squid-users] Squid -2.6 with Tproxy Sorry Sunil for my late reply (i have problems with my internet provider) Of course i haven't been able to implement Tproxy, im using since start only sources and all looks like compile ok. This is my procedure: - I patch kernel 2.6.15.2 vanilla with balabit patch from cttproxy-2.6.15-2.0.4.tar.gz - modify my kernel adding TPROXY support. - compiled & etc etc etc - patch iptables sources 1.3.4 , make KERNEL_DIR=... && make install KERNEL_DIR=... - On squid-2.6STABLE2... "./configure --enable-linux-tproxy --enable-linux-netfilter && make all && make install" (if in this step you have problems copy /include/linux/netfilter_ipv4/ into your /usr/include/linux/netfilter_ipv4/ ) When i try to run squid in tproxy mode... Meeeak! Error port assign 0! I think im dreaming with this error all nights xD, the error looks like it's not able to spoofing clients. Can someone help us with this stuff? El mié, 16-08-2006 a las 21:32 +0100, Sunil K.P. escribió: Hi Angel, Have you been able to implement Tproxy successfully? Regards Sunil Angel Mieres wrote: > Sunil, im trying to do the same that you are trying, i patched iptables > 1.3.5 & 1.3.4 and the problem persist. > > Tino, have you work this succesfully? could you told me version have > you > used?(i refer iptables, patch aplied, kernel used, patch tproxy > used...) > > Im using kernel 2.6.15.2 with balabit tproxy patch iptables 1.3.5 and > squid 2.6 STABLE2 and always squid debug mode show me the same that > show > Sunil. > > I think that my problem is on iptables version and his patch. > > Regards, > Angel M. > > >> Your iptables patch not complete >> fc5 use iptables rpm source, you need iptables from tar.gz/bz source >> - uninstall the iptables rpm, >> - download tar.gz/bz source from netfilter.org >> - patch it with iptables-1.3-cttproxy.diff before ./configure >> >> >> rgds, >> Tino >> >> - Original Message - >> From: "Sunil K.P." <[EMAIL PROTECTED]> >> To: >> Sent: Friday, August 11, 2006 4:33 PM >> Subject: [squid-users] Squid -2.6 with Tproxy >> >> >> >>> Hi, >>> >>> I have squid 2.6 STABLE 2 running on FC 2.6.15.2. >>> It is working fine in transparent mode. >>> >>> But I am trying to use Tproxy so that all the requests will spoofed >>> to >>> show the clients IP address and not the cache server. >>> The patches have been applied to the kernel, compiled and applied as >>> per >>> procedure. >>> After restarting the system the modules ipt_tproxy and ipt_TPROXY are >>> loaded. >>> >>> The problem starts when I apply the following iptables rule >>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j >>> TPROXY --on-port 3128 >>> >>> The traffic stops going thru the cache server. If the rule is removed >>> the traffic goes smoothly. >>> Cache.log shows the following error >>> tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN >>> >>> There seems to be no proper documentation for implementation of >>> tproxy >>> with squid on the net. >>> Pls. advice. >>> >>> Regards >>> Sunil >>> -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
Re: [squid-users] Squid -2.6 with Tproxy
Sorry Sunil for my late reply (i have problems with my internet provider) Of course i haven't been able to implement Tproxy, im using since start only sources and all looks like compile ok. This is my procedure: - I patch kernel 2.6.15.2 vanilla with balabit patch from cttproxy-2.6.15-2.0.4.tar.gz - modify my kernel adding TPROXY support. - compiled & etc etc etc - patch iptables sources 1.3.4 , make KERNEL_DIR=... && make install KERNEL_DIR=... - On squid-2.6STABLE2... "./configure --enable-linux-tproxy --enable-linux-netfilter && make all && make install" (if in this step you have problems copy /include/linux/netfilter_ipv4/ into your /usr/include/linux/netfilter_ipv4/ ) When i try to run squid in tproxy mode... Meeeak! Error port assign 0! I think im dreaming with this error all nights xD, the error looks like it's not able to spoofing clients. Can someone help us with this stuff? El mié, 16-08-2006 a las 21:32 +0100, Sunil K.P. escribió: > Hi Angel, > > Have you been able to implement Tproxy successfully? > > Regards > Sunil > > Angel Mieres wrote: > > Sunil, im trying to do the same that you are trying, i patched iptables > > 1.3.5 & 1.3.4 and the problem persist. > > > > Tino, have you work this succesfully? could you told me version have you > > used?(i refer iptables, patch aplied, kernel used, patch tproxy used...) > > > > Im using kernel 2.6.15.2 with balabit tproxy patch iptables 1.3.5 and > > squid 2.6 STABLE2 and always squid debug mode show me the same that show > > Sunil. > > > > I think that my problem is on iptables version and his patch. > > > > Regards, > > Angel M. > > > > > >> Your iptables patch not complete > >> fc5 use iptables rpm source, you need iptables from tar.gz/bz source > >> - uninstall the iptables rpm, > >> - download tar.gz/bz source from netfilter.org > >> - patch it with iptables-1.3-cttproxy.diff before ./configure > >> > >> > >> rgds, > >> Tino > >> > >> - Original Message - > >> From: "Sunil K.P." <[EMAIL PROTECTED]> > >> To: > >> Sent: Friday, August 11, 2006 4:33 PM > >> Subject: [squid-users] Squid -2.6 with Tproxy > >> > >> > >> > >>> Hi, > >>> > >>> I have squid 2.6 STABLE 2 running on FC 2.6.15.2. > >>> It is working fine in transparent mode. > >>> > >>> But I am trying to use Tproxy so that all the requests will spoofed to > >>> show the clients IP address and not the cache server. > >>> The patches have been applied to the kernel, compiled and applied as per > >>> procedure. > >>> After restarting the system the modules ipt_tproxy and ipt_TPROXY are > >>> loaded. > >>> > >>> The problem starts when I apply the following iptables rule > >>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j > >>> TPROXY --on-port 3128 > >>> > >>> The traffic stops going thru the cache server. If the rule is removed > >>> the traffic goes smoothly. > >>> Cache.log shows the following error > >>> tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN > >>> > >>> There seems to be no proper documentation for implementation of tproxy > >>> with squid on the net. > >>> Pls. advice. > >>> > >>> Regards > >>> Sunil > >>> > -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
Re: [squid-users] Squid -2.6 with Tproxy
Hi Angel, Have you been able to implement Tproxy successfully? Regards Sunil Angel Mieres wrote: Sunil, im trying to do the same that you are trying, i patched iptables 1.3.5 & 1.3.4 and the problem persist. Tino, have you work this succesfully? could you told me version have you used?(i refer iptables, patch aplied, kernel used, patch tproxy used...) Im using kernel 2.6.15.2 with balabit tproxy patch iptables 1.3.5 and squid 2.6 STABLE2 and always squid debug mode show me the same that show Sunil. I think that my problem is on iptables version and his patch. Regards, Angel M. Your iptables patch not complete fc5 use iptables rpm source, you need iptables from tar.gz/bz source - uninstall the iptables rpm, - download tar.gz/bz source from netfilter.org - patch it with iptables-1.3-cttproxy.diff before ./configure rgds, Tino - Original Message - From: "Sunil K.P." <[EMAIL PROTECTED]> To: Sent: Friday, August 11, 2006 4:33 PM Subject: [squid-users] Squid -2.6 with Tproxy Hi, I have squid 2.6 STABLE 2 running on FC 2.6.15.2. It is working fine in transparent mode. But I am trying to use Tproxy so that all the requests will spoofed to show the clients IP address and not the cache server. The patches have been applied to the kernel, compiled and applied as per procedure. After restarting the system the modules ipt_tproxy and ipt_TPROXY are loaded. The problem starts when I apply the following iptables rule iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 The traffic stops going thru the cache server. If the rule is removed the traffic goes smoothly. Cache.log shows the following error tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN There seems to be no proper documentation for implementation of tproxy with squid on the net. Pls. advice. Regards Sunil
Re: [squid-users] Squid -2.6 with Tproxy
Angel, Have you been able to implement it successfully. Rgds Sunil Angel Mieres wrote: Sunil, im trying to do the same that you are trying, i patched iptables 1.3.5 & 1.3.4 and the problem persist. Tino, have you work this succesfully? could you told me version have you used?(i refer iptables, patch aplied, kernel used, patch tproxy used...) Im using kernel 2.6.15.2 with balabit tproxy patch iptables 1.3.5 and squid 2.6 STABLE2 and always squid debug mode show me the same that show Sunil. I think that my problem is on iptables version and his patch. Regards, Angel M. Your iptables patch not complete fc5 use iptables rpm source, you need iptables from tar.gz/bz source - uninstall the iptables rpm, - download tar.gz/bz source from netfilter.org - patch it with iptables-1.3-cttproxy.diff before ./configure rgds, Tino - Original Message - From: "Sunil K.P." <[EMAIL PROTECTED]> To: Sent: Friday, August 11, 2006 4:33 PM Subject: [squid-users] Squid -2.6 with Tproxy Hi, I have squid 2.6 STABLE 2 running on FC 2.6.15.2. It is working fine in transparent mode. But I am trying to use Tproxy so that all the requests will spoofed to show the clients IP address and not the cache server. The patches have been applied to the kernel, compiled and applied as per procedure. After restarting the system the modules ipt_tproxy and ipt_TPROXY are loaded. The problem starts when I apply the following iptables rule iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 The traffic stops going thru the cache server. If the rule is removed the traffic goes smoothly. Cache.log shows the following error tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN There seems to be no proper documentation for implementation of tproxy with squid on the net. Pls. advice. Regards Sunil
Re: [squid-users] Squid -2.6 with Tproxy
sön 2006-08-13 klockan 01:38 +0100 skrev Sunil K.P.: > Hi Tino, > > The IPtables have been implemented by default with FC and there is no > directory for the source of iptables. You have to install the iptables source RPM to get the iptables sources used by FC, just as you have to install the kernel source RPM to get the kernel sources they use.. > Can you give me the step by step procedure so that I can try? Find the corresponding source RPMs for the packages you need to modify (kernel and iptables). The source RPMs is found in the distribution directory SRPMS next to where the binary RPMs for your architecture is installed. rpm -i iptables-xxx.src.rpm cp patchfile /usr/src/redhat/SOURCES/ edit /usr/src/redhat/SPECS/iptables.spec to include the patch in both the SourceN: and %patchN. Also modify the release to add someting uniquely identifying your version. Maybe even the package name to avoid conflicts with system updates. same thing for the kernel. Probably should do the kernel part first btw.. Or go for the pristine sources distributed from kernel.org and netfilter.org and ignore the packaging. Probably easier if you haven't modified RPM packages before, but easier to run into conflicts with overlapping system upgrades later on.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid -2.6 with Tproxy
Hi, sorry for late reply .. I'm using fc4 upgrade & it to kernel 2.6.15.7 iptables-1.3.0.tar.bz2 from netfilter.org after patch with balabit iptables, ./configure & make, make sure libipt_tproxy.so exist in /lib/iptables. If it is not there, than you have to 'gcc' manually from iptables source you extracted, check inside folder at /extentions/ - Original Message - From: "Angel Mieres" <[EMAIL PROTECTED]> To: "tino" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; Sent: Friday, August 11, 2006 6:46 PM Subject: Re: [squid-users] Squid -2.6 with Tproxy Sunil, im trying to do the same that you are trying, i patched iptables 1.3.5 & 1.3.4 and the problem persist. Tino, have you work this succesfully? could you told me version have you used?(i refer iptables, patch aplied, kernel used, patch tproxy used...) Im using kernel 2.6.15.2 with balabit tproxy patch iptables 1.3.5 and squid 2.6 STABLE2 and always squid debug mode show me the same that show Sunil. I think that my problem is on iptables version and his patch. Regards, Angel M. Your iptables patch not complete fc5 use iptables rpm source, you need iptables from tar.gz/bz source - uninstall the iptables rpm, - download tar.gz/bz source from netfilter.org - patch it with iptables-1.3-cttproxy.diff before ./configure rgds, Tino - Original Message - From: "Sunil K.P." <[EMAIL PROTECTED]> To: Sent: Friday, August 11, 2006 4:33 PM Subject: [squid-users] Squid -2.6 with Tproxy > Hi, > > I have squid 2.6 STABLE 2 running on FC 2.6.15.2. > It is working fine in transparent mode. > > But I am trying to use Tproxy so that all the requests will spoofed to > show the clients IP address and not the cache server. > The patches have been applied to the kernel, compiled and applied as > per > procedure. > After restarting the system the modules ipt_tproxy and ipt_TPROXY are > loaded. > > The problem starts when I apply the following iptables rule > iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j > TPROXY --on-port 3128 > > The traffic stops going thru the cache server. If the rule is removed > the traffic goes smoothly. > Cache.log shows the following error > tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN > > There seems to be no proper documentation for implementation of tproxy > with squid on the net. > Pls. advice. > > Regards > Sunil -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
Re: [squid-users] Squid -2.6 with Tproxy
Hi Tino, The IPtables have been implemented by default with FC and there is no directory for the source of iptables. Can you give me the step by step procedure so that I can try? Have tried a lot of suggestions and am still not going ahead. Regards Sunil tino wrote: Your iptables patch not complete fc5 use iptables rpm source, you need iptables from tar.gz/bz source - uninstall the iptables rpm, - download tar.gz/bz source from netfilter.org - patch it with iptables-1.3-cttproxy.diff before ./configure rgds, Tino - Original Message - From: "Sunil K.P." <[EMAIL PROTECTED]> To: Sent: Friday, August 11, 2006 4:33 PM Subject: [squid-users] Squid -2.6 with Tproxy Hi, I have squid 2.6 STABLE 2 running on FC 2.6.15.2. It is working fine in transparent mode. But I am trying to use Tproxy so that all the requests will spoofed to show the clients IP address and not the cache server. The patches have been applied to the kernel, compiled and applied as per procedure. After restarting the system the modules ipt_tproxy and ipt_TPROXY are loaded. The problem starts when I apply the following iptables rule iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 The traffic stops going thru the cache server. If the rule is removed the traffic goes smoothly. Cache.log shows the following error tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN There seems to be no proper documentation for implementation of tproxy with squid on the net. Pls. advice. Regards Sunil
Re: [squid-users] Squid -2.6 with Tproxy
fre 2006-08-11 klockan 10:33 +0100 skrev Sunil K.P.: > Hi, > > I have squid 2.6 STABLE 2 running on FC 2.6.15.2. Have you tried disabling SELINUX? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid -2.6 with Tproxy
Sunil, im trying to do the same that you are trying, i patched iptables 1.3.5 & 1.3.4 and the problem persist. Tino, have you work this succesfully? could you told me version have you used?(i refer iptables, patch aplied, kernel used, patch tproxy used...) Im using kernel 2.6.15.2 with balabit tproxy patch iptables 1.3.5 and squid 2.6 STABLE2 and always squid debug mode show me the same that show Sunil. I think that my problem is on iptables version and his patch. Regards, Angel M. > Your iptables patch not complete > fc5 use iptables rpm source, you need iptables from tar.gz/bz source > - uninstall the iptables rpm, > - download tar.gz/bz source from netfilter.org > - patch it with iptables-1.3-cttproxy.diff before ./configure > > > rgds, > Tino > > - Original Message - > From: "Sunil K.P." <[EMAIL PROTECTED]> > To: > Sent: Friday, August 11, 2006 4:33 PM > Subject: [squid-users] Squid -2.6 with Tproxy > > > > Hi, > > > > I have squid 2.6 STABLE 2 running on FC 2.6.15.2. > > It is working fine in transparent mode. > > > > But I am trying to use Tproxy so that all the requests will spoofed to > > show the clients IP address and not the cache server. > > The patches have been applied to the kernel, compiled and applied as per > > procedure. > > After restarting the system the modules ipt_tproxy and ipt_TPROXY are > > loaded. > > > > The problem starts when I apply the following iptables rule > > iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j > > TPROXY --on-port 3128 > > > > The traffic stops going thru the cache server. If the rule is removed > > the traffic goes smoothly. > > Cache.log shows the following error > > tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN > > > > There seems to be no proper documentation for implementation of tproxy > > with squid on the net. > > Pls. advice. > > > > Regards > > Sunil > -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
Re: [squid-users] Squid -2.6 with Tproxy
Your iptables patch not complete fc5 use iptables rpm source, you need iptables from tar.gz/bz source - uninstall the iptables rpm, - download tar.gz/bz source from netfilter.org - patch it with iptables-1.3-cttproxy.diff before ./configure rgds, Tino - Original Message - From: "Sunil K.P." <[EMAIL PROTECTED]> To: Sent: Friday, August 11, 2006 4:33 PM Subject: [squid-users] Squid -2.6 with Tproxy Hi, I have squid 2.6 STABLE 2 running on FC 2.6.15.2. It is working fine in transparent mode. But I am trying to use Tproxy so that all the requests will spoofed to show the clients IP address and not the cache server. The patches have been applied to the kernel, compiled and applied as per procedure. After restarting the system the modules ipt_tproxy and ipt_TPROXY are loaded. The problem starts when I apply the following iptables rule iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 The traffic stops going thru the cache server. If the rule is removed the traffic goes smoothly. Cache.log shows the following error tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN There seems to be no proper documentation for implementation of tproxy with squid on the net. Pls. advice. Regards Sunil
