I solved the problem . I have installed aptitude install libcap2 libcap2-dev
and then recompiled squid and tproxy problem solved. Thank you Amos for http://wiki.squid-cache.org/Features/Tproxy4 . please also edit troubleshooting section for Ubuntu 9.04 (Jaunty) users to install libcap2 libcap2-dev before compiling squid . AFAIK the simplest way to running the TPROXY is in Ubuntu 9.04 (Jaunty) . Amos Jeffries-2 wrote: > >> >> Another thing maybe helpful >> when i enable >> http_port 3128 intercept >> in squid.conf , following message appears in cache.log >> >> cache squid[14701]: IpIntercept.cc(132) NetfilterInterception: NF >> getsockopt(SO_ORIGINAL_DST) failed on FD 24: (11) Resource temporarily >> unavailable >> > > I'm aware of that. 'intercept' is a NAT lookup, will throw up errors on > any non-NAT input. 'tproxy' is a spoofed SOCKET lookup. > > I don't think any of the basic Ubuntu kernels have the TPROXY options set > yet. That would account for your custom ones working but the general > kernels not. > > Amos > >> >> >> Omid Kosari wrote: >>> >>> I have Ubuntu 9.04 (Jaunty) but also squid->client spoofing does not >>> work >>> . it shows squid's ip in tproxy mode . >>> >>> dmesg shows >>> [ 21.186636] ip_tables: (C) 2000-2006 Netfilter Core Team >>> [ 21.319881] NF_TPROXY: Transparent proxy support initialized, version >>> 4.1.0 >>> [ 21.319884] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. >>> >>> and squid.conf has >>> >>> http_port 3128 >>> http_port 3129 tproxy >>> >>> i have compiled squid with these settings >>> ./configure --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3 >>> --mandir=/usr/share/man --localstatedir=/var >>> --with-logdir=/var/log/squid >>> --prefix=/usr --enable-inline --enable-async-io=8 >>> --enable-storeio="ufs,aufs" --enable-removal-policies="lru,heap" >>> --enable-delay-pools --enable-cache-digests --enable-underscores >>> --enable-icap-client --enable-follow-x-forwarded-for >>> --with-filedescriptors=65536 --with-default-user=proxy >>> --enable-large-files --enable-linux-netfilter >>> and squid is 3.1.0.7 >>> >>> the debug_options ALL,1 89,6 output is like when we have not >>> debug_options >>> at all !! >>> >>> i had tproxy with my custom kernels but upgraded to Ubuntu 9.04 (Jaunty) >>> to prevent custom compiling of kernel and iptables but it does not work >>> >>> >>> >>> Amos Jeffries-2 wrote: >>>> >>>> rihad wrote: >>>>> Looks like I'm the only one trying to use TProxy? Somebody else, >>>>> please? >>>>> To summarize: Squid does NOT spoof client's IP address when initiating >>>>> connections on its own. Just as if there weren't a thing named >>>>> "TProxy". >>>> >>>> We have had a fair few trying it with complete success when its the >>>> only >>>> thing used. This kind of thing seems to crop up with WCCP, for you and >>>> one other. >>>> >>>> I'm not sure yet what the problem seems to be. Can you check your >>>> cache.log for messages about "Stopping full transparency", the rest of >>>> the message says why. I've updated the wiki troubleshooting section to >>>> list the messages that appear when tproxy is turned off automatically >>>> and what needs to be done to fix it. >>>> >>>> If you can't see any of those please can you set: >>>> debug_options ALL,1 89,6 >>>> >>>> to see whats going on? >>>> >>>> I know the squid->client link should be 100% spoofed. I'm not fully >>>> certain the quid->server link is actually spoofed in all cases. Though >>>> one report indicates it may be, I have not been able to test it locally >>>> yet. >>>> >>>> >>>> Amos >>>> >>>> >>>>> >>>>> Original message follows (not to be confused with top-posting): >>>>> >>>>>> Hello, I'm trying to get TProxy 4.1 to work as outlined here: >>>>>> http://wiki.squid-cache.org/Features/Tproxy4 >>>>>> namely under Ubuntu 9.04 stable/testing mix with the following: >>>>>> linux-image-2.6.28-11-server 2.6.28-11.42 >>>>>> iptables 1.4.3.2-2ubuntu1 >>>>>> squid-3.1.0.7.tar.bz2 from original sources >>>>>> >>>>>> Squid has been built this way: >>>>>> $ /usr/local/squid/sbin/squid -v >>>>>> Squid Cache: Version 3.1.0.7 >>>>>> configure options: '--enable-linux-netfilter' >>>>>> --with-squid=/home/guessed/squid-3.1.0.7 --enable-ltdl-convenience >>>>>> (myself I only gave it --enable-linux-netfilter) >>>>>> >>>>>> squid.conf is pretty much whatever 'make install' created, with my >>>>>> changes given at the end, after the blank line: >>>>>> >>>>>> acl manager proto cache_object >>>>>> acl localhost src 127.0.0.1/32 >>>>>> acl to_localhost dst 127.0.0.0/8 >>>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >>>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >>>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >>>>>> acl SSL_ports port 443 >>>>>> acl Safe_ports port 80 # http >>>>>> acl Safe_ports port 21 # ftp >>>>>> acl Safe_ports port 443 # https >>>>>> acl Safe_ports port 70 # gopher >>>>>> acl Safe_ports port 210 # wais >>>>>> acl Safe_ports port 1025-65535 # unregistered ports >>>>>> acl Safe_ports port 280 # http-mgmt >>>>>> acl Safe_ports port 488 # gss-http >>>>>> acl Safe_ports port 591 # filemaker >>>>>> acl Safe_ports port 777 # multiling http >>>>>> acl CONNECT method CONNECT >>>>>> http_access allow manager localhost >>>>>> http_access deny manager >>>>>> http_access deny !Safe_ports >>>>>> http_access deny CONNECT !SSL_ports >>>>>> http_access allow localnet >>>>>> http_access deny all >>>>>> http_port 3128 >>>>>> hierarchy_stoplist cgi-bin ? >>>>>> refresh_pattern ^ftp: 1440 20% 10080 >>>>>> refresh_pattern ^gopher: 1440 0% 1440 >>>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >>>>>> refresh_pattern . 0 20% 4320 >>>>>> coredump_dir /usr/local/squid/var/cache >>>>>> >>>>>> cache_dir ufs /usr/local/squid/var/cache 100 16 256 >>>>>> cache_mem 16 MB >>>>>> http_port 3129 tproxy >>>>>> visible_hostname tproxy >>>>>> >>>>>> Then I did: >>>>>> iptables -t mangle -N DIVERT >>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>>>>> iptables -t mangle -A DIVERT -j ACCEPT >>>>>> >>>>>> #Use DIVERT to prevent existing connections going through TPROXY >>>>>> twice: >>>>>> >>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>>>>> >>>>>> #Mark all other (new) packets and use TPROXY to pass into Squid: >>>>>> >>>>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >>>>>> --tproxy-mark 0x1/0x1 --on-port 3129 >>>>>> >>>>>> >>>>>> ip rule add fwmark 1 lookup 100 >>>>>> ip route add local 0.0.0.0/0 dev lo table 100 >>>>>> >>>>>> #On each boot startup set: >>>>>> >>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward >>>>>> >>>>>> ran squid -z and launched squid. >>>>>> >>>>>> My topology: >>>>>> desktop where I sit: one link has address 192.168.0.1/24, the other >>>>>> to >>>>>> the Internet >>>>>> Squid box: one link: 192.168.0.184/24 (bridged VMware interface on >>>>>> the >>>>>> same box as desktop), the other link is custom VMware interface >>>>>> 192.168.1.1/24 >>>>>> The "client" box: single interface 192.168.1.2/24 >>>>>> >>>>>> So, the squid box is directly connected to the outside on the one >>>>>> side, >>>>>> and to the client on the other. My desktop's routing knows to reach >>>>>> the >>>>>> client through the Squid box, and vice versa, so the port 80 traffic >>>>>> under consideration flows through the Squid box in both ways. >>>>>> >>>>>> Now, after I do this on the "client": >>>>>> $ telnet 192.168.0.1 80 >>>>>> GET / HTTP/1.0 >>>>>> >>>>>> (correct webpage output) >>>>>> Connection closed by foreign host. >>>>>> >>>>>> Nevertheless, in 192.168.0.1's webserver's logs I can see >>>>>> 192.168.0.184 >>>>>> connecting, not the TProxied 192.168.1.2, as if working under the >>>>>> plain >>>>>> ole interception proxying I've been trying to get rid of! >>>>>> >>>>>> Why?! Counters on the Squid box do get bumped: >>>>>> >>>>>> $ sudo iptables -t mangle -L -v -n >>>>>> Chain PREROUTING (policy ACCEPT 163 packets, 21851 bytes) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 2274 214K DIVERT tcp -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 socket >>>>>> 16 920 TPROXY tcp -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark >>>>>> 0x1/0x1 >>>>>> >>>>>> ... >>>>>> >>>>>> Chain DIVERT (1 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 2274 214K MARK all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 MARK xset 0x1/0xffffffff >>>>>> 2274 214K ACCEPT all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> >>>>>> >>>>>> Thanks for any tips. >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Please be using >>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 >>>> Current Beta Squid 3.1.0.7 >>>> >>>> >>> >>> >> >> -- >> View this message in context: >> http://www.nabble.com/TProxy-not-faking-source-address.-tp23544464p23586637.html >> Sent from the Squid - Users mailing list archive at Nabble.com. >> >> > > > > -- View this message in context: http://www.nabble.com/TProxy-not-faking-source-address.-tp23544464p23591654.html Sent from the Squid - Users mailing list archive at Nabble.com.
