Hey Walter, From what I understood the only reason to use tproxy on CentOS 6 is since below kernel 3.18 and a specific version of iptables there is not NAT table for ipv6. There for you cannot use REDIRECT for ipv6 on these machines. But in your case you don't need a full tproxy but something like NAT REDIRECT. If you can manage to test a newer kernel with newer iptables it would be pretty simple to "resolve" the issue avoiding tproxy usage. But if you cannot use another kernel and iptables what you would need it a partially tproxy setup. IE: tproxy on the incoming port only but not use transparent on the outgoing traffic.
This is where Amos and Alex experience and knowledge should come in handy and can help you to setup you system the right way. Else then the above(since tproxy works on both CentOS 6 and 7 but differently) you will need your system to be setup correctly. If you want me to test I have no issue to do so but it will take time. I recommend you to first start with an ACCEPT for all traffic on the machine and test. Also make sure to use "netstat -ntlp" or "ss -ntlp" to see on what ip+port squid is listening.(make sure it's really listening on ipv6 addres) The squid.conf http_port 13129 tproxy should result on an IPv6 listening port (::) and if not then it's probably due to something in the kernel level and you will need to define a specific IPv6 address with the port. Since you have full control on the environment and windows clients please try the next software: http://moodle.ngtech.co.il/software/2017/03/05/switch-ie-proxy/ to set the proxy for the machine. It's one of MS recommended one and I use it on all my windows machines without any need for interception in any of the systems(win xp till 10). I have tested it with CentOS 7 and in the past with CentOS 6 but it's like there are missing pieces in the whole setup. When you will set the system iptables to only contain the very basics which are ACCEPT all traffic(both INPUT\OUPUT\FORWARD) you will be able to move forward in the stack into squid. If all the above just doesn't work, let me know and I will try to test it with a new CentOS 6 to make sure it works as expected. All The Bests, Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -----Original Message----- From: Walter H. [mailto:walte...@mathemainzel.info] Sent: Sunday, August 13, 2017 21:31 To: Eliezer Croitoru <elie...@ngtech.co.il> Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] IPv6 and TPROXY Hello Eliezer yes, because all my Linux systems are CentOS 6 ... the router/firewall has a rule -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 -j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7 -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 -j REJECT any windows host inside this ipv6prefix has configured a proxy, but for some reason e.g. there is HTTP traffic of CRLs or OCSP that doesn't go through to the configured proxy, and is blocked ... for this I need this TPROXY ... (only IPv6 needs to be solved, IPv4 already runs perfekt) Thanks, Walter On 13.08.2017 15:48, Eliezer Croitoru wrote: > Hey, > > Is there a specific reason for the usage of CentOS 6? > Also, do you need full tproxy featres or just to intercept the traffic? > > And Amos: > Let say I want to intercept using tproxy but not use trpoxy for outgoing > connections, would it be possible? > Would the usage of: > http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ > > override the tproxy function? > > Eliezer > > ---- > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > > -----Original Message----- > From: Walter H. [mailto:walte...@mathemainzel.info] > Sent: Saturday, August 12, 2017 22:03 > To: Eliezer Croitoru<elie...@ngtech.co.il> > Cc: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] IPv6 and TPROXY > > Hello Eliezer, > > not really, > as I don't understand, which IP squid needs to listen to > > in my squid.conf I have this: > > # Squid normally listens to port 3128 > http_port 127.0.0.1:3128 > http_port [::1]:3128 > http_port 192.168.1.1:3128 > http_port [ipv6prefix::1]:3128 > # Transparent Squid listens to port 3129 (IPv4 only) > http_port 192.168.1.1:3129 transparent > http_port [ipv6prefix::1]:3129 tproxy<-- does it need this? > http_port [::1]:3129 tproxy<-- or this? > > the transparent proxy with ipv4 works ... > > just had to add the following > > e.g. > iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80 > -j DNAT --to-destination 192.168.1.1:3129 > > with IPv6 it is more complicated ... > > especially which IP6TABLES rule is meant by Amos question? > > "I don't see anywhere in that INPUT list where the TPROXY'd traffic is > permitted to reach Squid. " > > does this mean: > > e.g. when I want to use TPROXY to IPv6 2a02:1788:2fd::b2ff:5302, I > need to add > > ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302 > --dport 80 -j ACCEPT > ? > > does this really need this two > ip -6 ... > commands, as I don't know what to add in a file in > /etc/sysconfig/network-scripts ... > > Thanks, > Walter > > On 12.08.2017 20:23, Eliezer Croitoru wrote: > _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
