IPv6 and TPROXY

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

IPv6 and TPROXY

Walter H.
Hello,

I did at the ip6tables like this:
https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
--dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port 3129

in squid.conf I added

http_port  ipv6lan:3129 tproxy

I added the following also this rule to ip6tables

iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
-m state --state NEW -j ACCEPT

when I have tcpdump run, I get this:

16:08:58.452533 IP6 ipv6host.37656 > 2a02:1788:2fd::b2ff:5302.80: Flags
[S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val 1875817945
ecr 0,nop,wscale 5], length 0
16:08:58.452794 IP6 ipv6lan > ipv6host: ICMP6, destination unreachable,
unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88

when doing:

wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
http://crl.usertrust.com/AddTrustExternalCARoot.crl

(crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)

what am I missing?

Thanks
Walter

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
Can you attach or paste\gist the output of:
iptables-save
ip6tables-save
ip rule
??
It will help to also see the tables which you use in conjunction to the "ip rule" based on the mark.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Walter H.
Sent: Tuesday, August 8, 2017 17:15
To: [hidden email]
Subject: [squid-users] IPv6 and TPROXY

Hello,

I did at the ip6tables like this:
https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
--dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port 3129

in squid.conf I added

http_port  ipv6lan:3129 tproxy

I added the following also this rule to ip6tables

iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
-m state --state NEW -j ACCEPT

when I have tcpdump run, I get this:

16:08:58.452533 IP6 ipv6host.37656 > 2a02:1788:2fd::b2ff:5302.80: Flags
[S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val 1875817945
ecr 0,nop,wscale 5], length 0
16:08:58.452794 IP6 ipv6lan > ipv6host: ICMP6, destination unreachable,
unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88

when doing:

wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
http://crl.usertrust.com/AddTrustExternalCARoot.crl

(crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)

what am I missing?

Thanks
Walter

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Walter H.
Hello Eliezer

ip -6 rule is this

0:      from all lookup local
32765:  from all fwmark 0x1 lookup 100
32766:  from all lookup main

the two commands where

ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev br0 table 100

ip6tables-save is this
<BEGIN>

# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to 84 -m tcp --dport 80 -j DROP
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT
-A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o sit1 -j ACCEPT
-A OUTPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o sit1 -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017
# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*mangle
:PREROUTING ACCEPT [43:6775]
:INPUT ACCEPT [104:10608]
:FORWARD ACCEPT [12:2567]
:OUTPUT ACCEPT [182:28756]
:POSTROUTING ACCEPT [194:31323]
:DIVERT - [0:0]
-A PREROUTING -i br0 -p tcp -m socket -j DIVERT
-A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017

<END>

Thanks,
Walter

On 10.08.2017 02:18, Eliezer Croitoru wrote:

> Can you attach or paste\gist the output of:
> iptables-save
> ip6tables-save
> ip rule
> ??
> It will help to also see the tables which you use in conjunction to the "ip rule" based on the mark.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Walter H.
> Sent: Tuesday, August 8, 2017 17:15
> To: [hidden email]
> Subject: [squid-users] IPv6 and TPROXY
>
> Hello,
>
> I did at the ip6tables like this:
> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port 3129
>
> in squid.conf I added
>
> http_port  ipv6lan:3129 tproxy
>
> I added the following also this rule to ip6tables
>
> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
> -m state --state NEW -j ACCEPT
>
> when I have tcpdump run, I get this:
>
> 16:08:58.452533 IP6 ipv6host.37656>  2a02:1788:2fd::b2ff:5302.80: Flags
> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val 1875817945
> ecr 0,nop,wscale 5], length 0
> 16:08:58.452794 IP6 ipv6lan>  ipv6host: ICMP6, destination unreachable,
> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>
> when doing:
>
> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>
> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>
> what am I missing?
>
> Thanks
> Walter


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
I will try to reproduce and then I will respond.
I don't know what you are trying to do exactly but if you are receiving an ICMP reject it's probably because of a good reason.
Have you seen something in squid access.logs?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Walter H. [mailto:[hidden email]]
Sent: Thursday, August 10, 2017 06:49
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] IPv6 and TPROXY

Hello Eliezer

ip -6 rule is this

0:      from all lookup local
32765:  from all fwmark 0x1 lookup 100
32766:  from all lookup main

the two commands where

ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev br0 table 100

ip6tables-save is this
<BEGIN>

# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to 84 -m tcp --dport 80 -j DROP
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT
-A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o sit1 -j ACCEPT
-A OUTPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o sit1 -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017
# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*mangle
:PREROUTING ACCEPT [43:6775]
:INPUT ACCEPT [104:10608]
:FORWARD ACCEPT [12:2567]
:OUTPUT ACCEPT [182:28756]
:POSTROUTING ACCEPT [194:31323]
:DIVERT - [0:0]
-A PREROUTING -i br0 -p tcp -m socket -j DIVERT
-A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017

<END>

Thanks,
Walter

On 10.08.2017 02:18, Eliezer Croitoru wrote:

> Can you attach or paste\gist the output of:
> iptables-save
> ip6tables-save
> ip rule
> ??
> It will help to also see the tables which you use in conjunction to the "ip rule" based on the mark.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Walter H.
> Sent: Tuesday, August 8, 2017 17:15
> To: [hidden email]
> Subject: [squid-users] IPv6 and TPROXY
>
> Hello,
>
> I did at the ip6tables like this:
> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port 3129
>
> in squid.conf I added
>
> http_port  ipv6lan:3129 tproxy
>
> I added the following also this rule to ip6tables
>
> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
> -m state --state NEW -j ACCEPT
>
> when I have tcpdump run, I get this:
>
> 16:08:58.452533 IP6 ipv6host.37656>  2a02:1788:2fd::b2ff:5302.80: Flags
> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val 1875817945
> ecr 0,nop,wscale 5], length 0
> 16:08:58.452794 IP6 ipv6lan>  ipv6host: ICMP6, destination unreachable,
> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>
> when doing:
>
> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>
> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>
> what am I missing?
>
> Thanks
> Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
In reply to this post by Walter H.
Hey Walter,

I have ran basic tests which are not including direct internet access and it seems like squid is intercepting traffic fine on a CentOS 7.
Try to use:
ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev lo table 100

ip6tables -t mangle -F
ip6tables -t mangle -F DIVERT
ip6tables -t mangle -X DIVERT
ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
ip6tables -t mangle -A DIVERT -j ACCEPT

ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --tproxy-mark 0x1/0x1

check the output of:
sysctl -a |grep forward|grep v6

Since some of the setup you describe are "unusual" like "br0" I cannot promise you how things will work and if they should work.
On a regular linux machine with regular interfaces it works fine.
I do get the basic "access denied" page from squid.
If this doesn't show up then I belive it's a routing level issue and maybe sysctl will help to reveal couple things about the subject.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Walter H. [mailto:[hidden email]]
Sent: Thursday, August 10, 2017 06:49
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] IPv6 and TPROXY

Hello Eliezer

ip -6 rule is this

0:      from all lookup local
32765:  from all fwmark 0x1 lookup 100
32766:  from all lookup main

the two commands where

ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev br0 table 100

ip6tables-save is this
<BEGIN>

# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to 84 -m tcp --dport 80 -j DROP
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT
-A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o sit1 -j ACCEPT
-A OUTPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o sit1 -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017
# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*mangle
:PREROUTING ACCEPT [43:6775]
:INPUT ACCEPT [104:10608]
:FORWARD ACCEPT [12:2567]
:OUTPUT ACCEPT [182:28756]
:POSTROUTING ACCEPT [194:31323]
:DIVERT - [0:0]
-A PREROUTING -i br0 -p tcp -m socket -j DIVERT
-A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017

<END>

Thanks,
Walter

On 10.08.2017 02:18, Eliezer Croitoru wrote:

> Can you attach or paste\gist the output of:
> iptables-save
> ip6tables-save
> ip rule
> ??
> It will help to also see the tables which you use in conjunction to the "ip rule" based on the mark.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Walter H.
> Sent: Tuesday, August 8, 2017 17:15
> To: [hidden email]
> Subject: [squid-users] IPv6 and TPROXY
>
> Hello,
>
> I did at the ip6tables like this:
> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port 3129
>
> in squid.conf I added
>
> http_port  ipv6lan:3129 tproxy
>
> I added the following also this rule to ip6tables
>
> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
> -m state --state NEW -j ACCEPT
>
> when I have tcpdump run, I get this:
>
> 16:08:58.452533 IP6 ipv6host.37656>  2a02:1788:2fd::b2ff:5302.80: Flags
> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val 1875817945
> ecr 0,nop,wscale 5], length 0
> 16:08:58.452794 IP6 ipv6lan>  ipv6host: ICMP6, destination unreachable,
> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>
> when doing:
>
> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>
> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>
> what am I missing?
>
> Thanks
> Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Walter H.
Hello Eliezer,

it is a CentOS 6 box,

br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6
prefix

might this be a problem?

the results of "sysctl -a |grep forward|grep v6":

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan0.mc_forwarding = 0
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.br0.mc_forwarding = 0
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sit0.mc_forwarding = 0
net.ipv6.conf.sit1.forwarding = 1
net.ipv6.conf.sit1.mc_forwarding = 0

Greetings,
Walter

On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:

> Hey Walter,
>
> I have ran basic tests which are not including direct internet access and
> it seems like squid is intercepting traffic fine on a CentOS 7.
> Try to use:
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev lo table 100
>
> ip6tables -t mangle -F
> ip6tables -t mangle -F DIVERT
> ip6tables -t mangle -X DIVERT
> ip6tables -t mangle -N DIVERT
> ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> ip6tables -t mangle -A DIVERT -j ACCEPT
>
> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
> TPROXY --on-port 3129 --tproxy-mark 0x1/0x1
>
> check the output of:
> sysctl -a |grep forward|grep v6
>
> Since some of the setup you describe are "unusual" like "br0" I cannot
> promise you how things will work and if they should work.
> On a regular linux machine with regular interfaces it works fine.
> I do get the basic "access denied" page from squid.
> If this doesn't show up then I belive it's a routing level issue and maybe
> sysctl will help to reveal couple things about the subject.
>
> All The Bests,
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:[hidden email]]
> Sent: Thursday, August 10, 2017 06:49
> To: Eliezer Croitoru <[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer
>
> ip -6 rule is this
>
> 0:      from all lookup local
> 32765:  from all fwmark 0x1 lookup 100
> 32766:  from all lookup main
>
> the two commands where
>
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev br0 table 100
>
> ip6tables-save is this
> <BEGIN>
>
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm
> --to 84 -m tcp --dport 80 -j DROP
> -A INPUT -m rt --rt-type 0 -j DROP
> -A INPUT -m state --state INVALID -j DROP
> -A INPUT -s fe80::/10 -j ACCEPT
> -A INPUT -d ff00::/8 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m
> state --state NEW -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m
> state --state NEW -j ACCEPT
> -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -m rt --rt-type 0 -j DROP
> -A FORWARD -m state --state INVALID -j DROP
> -A FORWARD -i br0 -o br0 -j ACCEPT
> -A FORWARD -i br0 -o sit1 -j ACCEPT
> -A OUTPUT -m rt --rt-type 0 -j DROP
> -A OUTPUT -m state --state INVALID -j DROP
> -A OUTPUT -s fe80::/10 -j ACCEPT
> -A OUTPUT -d ff00::/8 -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o br0 -j ACCEPT
> -A OUTPUT -o sit1 -j ACCEPT
> COMMIT
> # Completed on Thu Aug 10 05:26:04 2017
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *mangle
> :PREROUTING ACCEPT [43:6775]
> :INPUT ACCEPT [104:10608]
> :FORWARD ACCEPT [12:2567]
> :OUTPUT ACCEPT [182:28756]
> :POSTROUTING ACCEPT [194:31323]
> :DIVERT - [0:0]
> -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
> -A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport
> 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark
> 0x1/0x1
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j ACCEPT
> COMMIT
> # Completed on Thu Aug 10 05:26:04 2017
>
> <END>
>
> Thanks,
> Walter
>
> On 10.08.2017 02:18, Eliezer Croitoru wrote:
>> Can you attach or paste\gist the output of:
>> iptables-save
>> ip6tables-save
>> ip rule
>> ??
>> It will help to also see the tables which you use in conjunction to the
>> "ip rule" based on the mark.
>>
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: [hidden email]
>>
>>
>> -----Original Message-----
>> From: squid-users [mailto:[hidden email]] On
>> Behalf Of Walter H.
>> Sent: Tuesday, August 8, 2017 17:15
>> To: [hidden email]
>> Subject: [squid-users] IPv6 and TPROXY
>>
>> Hello,
>>
>> I did at the ip6tables like this:
>> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>>
>> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>>
>> iptables -t mangle -A PREROUTING -i br0 -p tcp -d
>> 2a02:1788:2fd::b2ff:5302
>> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port
>> 3129
>>
>> in squid.conf I added
>>
>> http_port  ipv6lan:3129 tproxy
>>
>> I added the following also this rule to ip6tables
>>
>> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
>> -m state --state NEW -j ACCEPT
>>
>> when I have tcpdump run, I get this:
>>
>> 16:08:58.452533 IP6 ipv6host.37656>  2a02:1788:2fd::b2ff:5302.80: Flags
>> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val
>> 1875817945
>> ecr 0,nop,wscale 5], length 0
>> 16:08:58.452794 IP6 ipv6lan>  ipv6host: ICMP6, destination unreachable,
>> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>>
>> when doing:
>>
>> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
>> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>>
>> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>>
>> what am I missing?
>>
>> Thanks
>> Walter
>
>
>
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
Try to change the ip rule instead of br0 to lo and see if it changes anything.
Also remove any iptables rules and try to access a public ipv6 only address.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Walter H. [mailto:[hidden email]]
Sent: Thursday, August 10, 2017 09:19
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: RE: [squid-users] IPv6 and TPROXY

Hello Eliezer,

it is a CentOS 6 box,

br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6 prefix

might this be a problem?

the results of "sysctl -a |grep forward|grep v6":

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan0.mc_forwarding = 0
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.br0.mc_forwarding = 0
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sit0.mc_forwarding = 0
net.ipv6.conf.sit1.forwarding = 1
net.ipv6.conf.sit1.mc_forwarding = 0

Greetings,
Walter

On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:

> Hey Walter,
>
> I have ran basic tests which are not including direct internet access
> and it seems like squid is intercepting traffic fine on a CentOS 7.
> Try to use:
> ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local
> default dev lo table 100
>
> ip6tables -t mangle -F
> ip6tables -t mangle -F DIVERT
> ip6tables -t mangle -X DIVERT
> ip6tables -t mangle -N DIVERT
> ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> ip6tables -t mangle -A DIVERT -j ACCEPT
>
> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT ip6tables
> -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j TPROXY
> --on-port 3129 --tproxy-mark 0x1/0x1
>
> check the output of:
> sysctl -a |grep forward|grep v6
>
> Since some of the setup you describe are "unusual" like "br0" I cannot
> promise you how things will work and if they should work.
> On a regular linux machine with regular interfaces it works fine.
> I do get the basic "access denied" page from squid.
> If this doesn't show up then I belive it's a routing level issue and
> maybe sysctl will help to reveal couple things about the subject.
>
> All The Bests,
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:[hidden email]]
> Sent: Thursday, August 10, 2017 06:49
> To: Eliezer Croitoru <[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer
>
> ip -6 rule is this
>
> 0:      from all lookup local
> 32765:  from all fwmark 0x1 lookup 100
> 32766:  from all lookup main
>
> the two commands where
>
> ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local
> default dev br0 table 100
>
> ip6tables-save is this
> <BEGIN>
>
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A
> INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT
> -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to
> 84 -m tcp --dport 80 -j DROP -A INPUT -m rt --rt-type 0 -j DROP -A
> INPUT -m state --state INVALID -j DROP -A INPUT -s fe80::/10 -j ACCEPT
> -A INPUT -d ff00::/8 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i
> br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s
> 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT -A INPUT -d
> 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state
> --state NEW -j ACCEPT -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p
> tcp -m tcp --dport 3129 -m state --state NEW -j ACCEPT -A FORWARD -i
> sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD
> -m rt --rt-type 0 -j DROP -A FORWARD -m state --state INVALID -j DROP
> -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -i br0 -o sit1 -j ACCEPT
> -A OUTPUT -m rt --rt-type 0 -j DROP -A OUTPUT -m state --state INVALID
> -j DROP -A OUTPUT -s fe80::/10 -j ACCEPT -A OUTPUT -d ff00::/8 -j
> ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -A OUTPUT
> -o sit1 -j ACCEPT COMMIT # Completed on Thu Aug 10 05:26:04 2017 #
> Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017 *mangle
> :PREROUTING ACCEPT [43:6775] :INPUT ACCEPT [104:10608] :FORWARD ACCEPT
> [12:2567] :OUTPUT ACCEPT [182:28756] :POSTROUTING ACCEPT [194:31323]
> :DIVERT - [0:0] -A PREROUTING -i br0 -p tcp -m socket -j DIVERT -A
> PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp
> --dport
> 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark
> 0x1/0x1
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff -A DIVERT -j ACCEPT
> COMMIT # Completed on Thu Aug 10 05:26:04 2017
>
> <END>
>
> Thanks,
> Walter
>
> On 10.08.2017 02:18, Eliezer Croitoru wrote:
>> Can you attach or paste\gist the output of:
>> iptables-save
>> ip6tables-save
>> ip rule
>> ??
>> It will help to also see the tables which you use in conjunction to
>> the "ip rule" based on the mark.
>>
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: [hidden email]
>>
>>
>> -----Original Message-----
>> From: squid-users [mailto:[hidden email]]
>> On Behalf Of Walter H.
>> Sent: Tuesday, August 8, 2017 17:15
>> To: [hidden email]
>> Subject: [squid-users] IPv6 and TPROXY
>>
>> Hello,
>>
>> I did at the ip6tables like this:
>> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_de
>> vice
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle
>> -A DIVERT -j ACCEPT
>>
>> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>>
>> iptables -t mangle -A PREROUTING -i br0 -p tcp -d
>> 2a02:1788:2fd::b2ff:5302
>> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port
>> 3129
>>
>> in squid.conf I added
>>
>> http_port  ipv6lan:3129 tproxy
>>
>> I added the following also this rule to ip6tables
>>
>> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport
>> 3129 -m state --state NEW -j ACCEPT
>>
>> when I have tcpdump run, I get this:
>>
>> 16:08:58.452533 IP6 ipv6host.37656>  2a02:1788:2fd::b2ff:5302.80:
>> Flags [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val
>> 1875817945
>> ecr 0,nop,wscale 5], length 0
>> 16:08:58.452794 IP6 ipv6lan>  ipv6host: ICMP6, destination
>> unreachable, unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80,
>> length 88
>>
>> when doing:
>>
>> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
>> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>>
>> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>>
>> what am I missing?
>>
>> Thanks
>> Walter
>
>
>
>



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Amos Jeffries
Administrator
In reply to this post by Walter H.
On 10/08/17 15:48, Walter H. wrote:

> Hello Eliezer
>
> ip -6 rule is this
>
> 0:      from all lookup local
> 32765:  from all fwmark 0x1 lookup 100
> 32766:  from all lookup main
>
> the two commands where
>
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev br0 table 100
>
> ip6tables-save is this
> <BEGIN>
>
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm
> --to 84 -m tcp --dport 80 -j DROP
> -A INPUT -m rt --rt-type 0 -j DROP
> -A INPUT -m state --state INVALID -j DROP
> -A INPUT -s fe80::/10 -j ACCEPT
> -A INPUT -d ff00::/8 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128
> -m state --state NEW -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129
> -m state --state NEW -j ACCEPT

I don't see anywhere in that INPUT list where the TPROXY'd traffic is
permitted to reach Squid.

Note that with TPROXY the packets are *not* labeled as going to port
3129 like NAT does. The exact same dst-IP:port details used by the
client are seen at this layer of iptables. It is just that they are seen
on the INPUT rather than FORWARD tables.

I would add a LOG line at the end of the rules to check whether the
above is the problem, then adjust your INPUT restrictions appropriately
to what the log line implies.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
In reply to this post by Walter H.
Any progress with this issue?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Walter H. [mailto:[hidden email]]
Sent: Thursday, August 10, 2017 09:19
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: RE: [squid-users] IPv6 and TPROXY

Hello Eliezer,

it is a CentOS 6 box,

br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6
prefix

might this be a problem?

the results of "sysctl -a |grep forward|grep v6":

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan0.mc_forwarding = 0
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.br0.mc_forwarding = 0
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sit0.mc_forwarding = 0
net.ipv6.conf.sit1.forwarding = 1
net.ipv6.conf.sit1.mc_forwarding = 0

Greetings,
Walter

On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:

> Hey Walter,
>
> I have ran basic tests which are not including direct internet access and
> it seems like squid is intercepting traffic fine on a CentOS 7.
> Try to use:
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev lo table 100
>
> ip6tables -t mangle -F
> ip6tables -t mangle -F DIVERT
> ip6tables -t mangle -X DIVERT
> ip6tables -t mangle -N DIVERT
> ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> ip6tables -t mangle -A DIVERT -j ACCEPT
>
> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
> TPROXY --on-port 3129 --tproxy-mark 0x1/0x1
>
> check the output of:
> sysctl -a |grep forward|grep v6
>
> Since some of the setup you describe are "unusual" like "br0" I cannot
> promise you how things will work and if they should work.
> On a regular linux machine with regular interfaces it works fine.
> I do get the basic "access denied" page from squid.
> If this doesn't show up then I belive it's a routing level issue and maybe
> sysctl will help to reveal couple things about the subject.
>
> All The Bests,
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:[hidden email]]
> Sent: Thursday, August 10, 2017 06:49
> To: Eliezer Croitoru <[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer
>
> ip -6 rule is this
>
> 0:      from all lookup local
> 32765:  from all fwmark 0x1 lookup 100
> 32766:  from all lookup main
>
> the two commands where
>
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev br0 table 100
>
> ip6tables-save is this
> <BEGIN>
>
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm
> --to 84 -m tcp --dport 80 -j DROP
> -A INPUT -m rt --rt-type 0 -j DROP
> -A INPUT -m state --state INVALID -j DROP
> -A INPUT -s fe80::/10 -j ACCEPT
> -A INPUT -d ff00::/8 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m
> state --state NEW -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m
> state --state NEW -j ACCEPT
> -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -m rt --rt-type 0 -j DROP
> -A FORWARD -m state --state INVALID -j DROP
> -A FORWARD -i br0 -o br0 -j ACCEPT
> -A FORWARD -i br0 -o sit1 -j ACCEPT
> -A OUTPUT -m rt --rt-type 0 -j DROP
> -A OUTPUT -m state --state INVALID -j DROP
> -A OUTPUT -s fe80::/10 -j ACCEPT
> -A OUTPUT -d ff00::/8 -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o br0 -j ACCEPT
> -A OUTPUT -o sit1 -j ACCEPT
> COMMIT
> # Completed on Thu Aug 10 05:26:04 2017
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *mangle
> :PREROUTING ACCEPT [43:6775]
> :INPUT ACCEPT [104:10608]
> :FORWARD ACCEPT [12:2567]
> :OUTPUT ACCEPT [182:28756]
> :POSTROUTING ACCEPT [194:31323]
> :DIVERT - [0:0]
> -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
> -A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport
> 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark
> 0x1/0x1
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j ACCEPT
> COMMIT
> # Completed on Thu Aug 10 05:26:04 2017
>
> <END>
>
> Thanks,
> Walter
>
> On 10.08.2017 02:18, Eliezer Croitoru wrote:
>> Can you attach or paste\gist the output of:
>> iptables-save
>> ip6tables-save
>> ip rule
>> ??
>> It will help to also see the tables which you use in conjunction to the
>> "ip rule" based on the mark.
>>
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: [hidden email]
>>
>>
>> -----Original Message-----
>> From: squid-users [mailto:[hidden email]] On
>> Behalf Of Walter H.
>> Sent: Tuesday, August 8, 2017 17:15
>> To: [hidden email]
>> Subject: [squid-users] IPv6 and TPROXY
>>
>> Hello,
>>
>> I did at the ip6tables like this:
>> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>>
>> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>>
>> iptables -t mangle -A PREROUTING -i br0 -p tcp -d
>> 2a02:1788:2fd::b2ff:5302
>> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port
>> 3129
>>
>> in squid.conf I added
>>
>> http_port  ipv6lan:3129 tproxy
>>
>> I added the following also this rule to ip6tables
>>
>> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
>> -m state --state NEW -j ACCEPT
>>
>> when I have tcpdump run, I get this:
>>
>> 16:08:58.452533 IP6 ipv6host.37656>  2a02:1788:2fd::b2ff:5302.80: Flags
>> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val
>> 1875817945
>> ecr 0,nop,wscale 5], length 0
>> 16:08:58.452794 IP6 ipv6lan>  ipv6host: ICMP6, destination unreachable,
>> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>>
>> when doing:
>>
>> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
>> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>>
>> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>>
>> what am I missing?
>>
>> Thanks
>> Walter
>
>
>
>



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Walter H.
Hello Eliezer,

not really,
as I don't understand, which IP squid needs to listen to

in my squid.conf I have this:

# Squid normally listens to port 3128
http_port 127.0.0.1:3128
http_port [::1]:3128
http_port 192.168.1.1:3128
http_port [ipv6prefix::1]:3128
# Transparent Squid listens to port 3129 (IPv4 only)
http_port 192.168.1.1:3129 transparent
http_port [ipv6prefix::1]:3129 tproxy <-- does it need this?
http_port [::1]:3129 tproxy <-- or this?

the transparent proxy with ipv4 works ...

just had to add the following

e.g.
iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80
-j DNAT --to-destination 192.168.1.1:3129

with IPv6 it is more complicated ...

especially which IP6TABLES rule is meant by Amos question?

"I don't see anywhere in that INPUT list where the TPROXY'd traffic is
permitted to reach Squid. "

does this mean:

e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I
need to add

ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
--dport 80 -j ACCEPT
?

does this really need this two
ip -6 ...
commands, as I don't know what to add in a file in
/etc/sysconfig/network-scripts ...

Thanks,
Walter

On 12.08.2017 20:23, Eliezer Croitoru wrote:

> Any progress with this issue?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:[hidden email]]
> Sent: Thursday, August 10, 2017 09:19
> To: Eliezer Croitoru<[hidden email]>
> Cc: [hidden email]
> Subject: RE: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer,
>
> it is a CentOS 6 box,
>
> br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6
> prefix
>
> might this be a problem?
>
> the results of "sysctl -a |grep forward|grep v6":
>
> net.ipv6.conf.all.forwarding = 1
> net.ipv6.conf.all.mc_forwarding = 0
> net.ipv6.conf.default.forwarding = 1
> net.ipv6.conf.default.mc_forwarding = 0
> net.ipv6.conf.lo.forwarding = 1
> net.ipv6.conf.lo.mc_forwarding = 0
> net.ipv6.conf.eth0.forwarding = 1
> net.ipv6.conf.eth0.mc_forwarding = 0
> net.ipv6.conf.eth1.forwarding = 1
> net.ipv6.conf.eth1.mc_forwarding = 0
> net.ipv6.conf.wlan0.forwarding = 1
> net.ipv6.conf.wlan0.mc_forwarding = 0
> net.ipv6.conf.br0.forwarding = 1
> net.ipv6.conf.br0.mc_forwarding = 0
> net.ipv6.conf.sit0.forwarding = 1
> net.ipv6.conf.sit0.mc_forwarding = 0
> net.ipv6.conf.sit1.forwarding = 1
> net.ipv6.conf.sit1.mc_forwarding = 0
>
> Greetings,
> Walter
>
> On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:
>> Hey Walter,
>>
>> I have ran basic tests which are not including direct internet access and
>> it seems like squid is intercepting traffic fine on a CentOS 7.
>> Try to use:
>> ip -f inet6 rule add fwmark 1 lookup 100
>> ip -f inet6 route add local default dev lo table 100
>>
>> ip6tables -t mangle -F
>> ip6tables -t mangle -F DIVERT
>> ip6tables -t mangle -X DIVERT
>> ip6tables -t mangle -N DIVERT
>> ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>> ip6tables -t mangle -A DIVERT -j ACCEPT
>>
>> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
>> TPROXY --on-port 3129 --tproxy-mark 0x1/0x1
>>
>> check the output of:
>> sysctl -a |grep forward|grep v6
>>
>> Since some of the setup you describe are "unusual" like "br0" I cannot
>> promise you how things will work and if they should work.
>> On a regular linux machine with regular interfaces it works fine.
>> I do get the basic "access denied" page from squid.
>> If this doesn't show up then I belive it's a routing level issue and maybe
>> sysctl will help to reveal couple things about the subject.
>>
>> All The Bests,
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: [hidden email]
>>
>>
>>
>> -----Original Message-----
>> From: Walter H. [mailto:[hidden email]]
>> Sent: Thursday, August 10, 2017 06:49
>> To: Eliezer Croitoru<[hidden email]>
>> Cc: [hidden email]
>> Subject: Re: [squid-users] IPv6 and TPROXY
>>
>> Hello Eliezer
>>
>> ip -6 rule is this
>>
>> 0:      from all lookup local
>> 32765:  from all fwmark 0x1 lookup 100
>> 32766:  from all lookup main
>>
>> the two commands where
>>
>> ip -f inet6 rule add fwmark 1 lookup 100
>> ip -f inet6 route add local default dev br0 table 100
>>
>> ip6tables-save is this
>> <BEGIN>
>>
>> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
>> *filter
>> :INPUT DROP [0:0]
>> :FORWARD DROP [0:0]
>> :OUTPUT DROP [0:0]
>> -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm
>> --to 84 -m tcp --dport 80 -j DROP
>> -A INPUT -m rt --rt-type 0 -j DROP
>> -A INPUT -m state --state INVALID -j DROP
>> -A INPUT -s fe80::/10 -j ACCEPT
>> -A INPUT -d ff00::/8 -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
>> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m
>> state --state NEW -j ACCEPT
>> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m
>> state --state NEW -j ACCEPT
>> -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -m rt --rt-type 0 -j DROP
>> -A FORWARD -m state --state INVALID -j DROP
>> -A FORWARD -i br0 -o br0 -j ACCEPT
>> -A FORWARD -i br0 -o sit1 -j ACCEPT
>> -A OUTPUT -m rt --rt-type 0 -j DROP
>> -A OUTPUT -m state --state INVALID -j DROP
>> -A OUTPUT -s fe80::/10 -j ACCEPT
>> -A OUTPUT -d ff00::/8 -j ACCEPT
>> -A OUTPUT -o lo -j ACCEPT
>> -A OUTPUT -o br0 -j ACCEPT
>> -A OUTPUT -o sit1 -j ACCEPT
>> COMMIT
>> # Completed on Thu Aug 10 05:26:04 2017
>> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
>> *mangle
>> :PREROUTING ACCEPT [43:6775]
>> :INPUT ACCEPT [104:10608]
>> :FORWARD ACCEPT [12:2567]
>> :OUTPUT ACCEPT [182:28756]
>> :POSTROUTING ACCEPT [194:31323]
>> :DIVERT - [0:0]
>> -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>> -A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport
>> 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark
>> 0x1/0x1
>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>> -A DIVERT -j ACCEPT
>> COMMIT
>> # Completed on Thu Aug 10 05:26:04 2017
>>
>> <END>
>>
>> Thanks,
>> Walter
>>
>> On 10.08.2017 02:18, Eliezer Croitoru wrote:
>>> Can you attach or paste\gist the output of:
>>> iptables-save
>>> ip6tables-save
>>> ip rule
>>> ??
>>> It will help to also see the tables which you use in conjunction to the
>>> "ip rule" based on the mark.
>>>
>>> Eliezer
>>>
>>> ----
>>> Eliezer Croitoru
>>> Linux System Administrator
>>> Mobile: +972-5-28704261
>>> Email: [hidden email]
>>>
>>>
>>> -----Original Message-----
>>> From: squid-users [mailto:[hidden email]] On
>>> Behalf Of Walter H.
>>> Sent: Tuesday, August 8, 2017 17:15
>>> To: [hidden email]
>>> Subject: [squid-users] IPv6 and TPROXY
>>>
>>> Hello,
>>>
>>> I did at the ip6tables like this:
>>> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>>>
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>
>>> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>>>
>>> iptables -t mangle -A PREROUTING -i br0 -p tcp -d
>>> 2a02:1788:2fd::b2ff:5302
>>> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port
>>> 3129
>>>
>>> in squid.conf I added
>>>
>>> http_port  ipv6lan:3129 tproxy
>>>
>>> I added the following also this rule to ip6tables
>>>
>>> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
>>> -m state --state NEW -j ACCEPT
>>>
>>> when I have tcpdump run, I get this:
>>>
>>> 16:08:58.452533 IP6 ipv6host.37656>   2a02:1788:2fd::b2ff:5302.80: Flags
>>> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val
>>> 1875817945
>>> ecr 0,nop,wscale 5], length 0
>>> 16:08:58.452794 IP6 ipv6lan>   ipv6host: ICMP6, destination unreachable,
>>> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>>>
>>> when doing:
>>>
>>> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
>>> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>>>
>>> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>>>
>>> what am I missing?
>>>
>>> Thanks
>>> Walter


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
Hey,

Is there a specific reason for the usage of CentOS 6?
Also, do you need full tproxy featres or just to intercept the traffic?

And Amos:
Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible?
Would the usage of:
http://www.squid-cache.org/Doc/config/tcp_outgoing_address/

override the tproxy function?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Walter H. [mailto:[hidden email]]
Sent: Saturday, August 12, 2017 22:03
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] IPv6 and TPROXY

Hello Eliezer,

not really,
as I don't understand, which IP squid needs to listen to

in my squid.conf I have this:

# Squid normally listens to port 3128
http_port 127.0.0.1:3128
http_port [::1]:3128
http_port 192.168.1.1:3128
http_port [ipv6prefix::1]:3128
# Transparent Squid listens to port 3129 (IPv4 only)
http_port 192.168.1.1:3129 transparent
http_port [ipv6prefix::1]:3129 tproxy <-- does it need this?
http_port [::1]:3129 tproxy <-- or this?

the transparent proxy with ipv4 works ...

just had to add the following

e.g.
iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80
-j DNAT --to-destination 192.168.1.1:3129

with IPv6 it is more complicated ...

especially which IP6TABLES rule is meant by Amos question?

"I don't see anywhere in that INPUT list where the TPROXY'd traffic is
permitted to reach Squid. "

does this mean:

e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I
need to add

ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
--dport 80 -j ACCEPT
?

does this really need this two
ip -6 ...
commands, as I don't know what to add in a file in
/etc/sysconfig/network-scripts ...

Thanks,
Walter

On 12.08.2017 20:23, Eliezer Croitoru wrote:

> Any progress with this issue?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:[hidden email]]
> Sent: Thursday, August 10, 2017 09:19
> To: Eliezer Croitoru<[hidden email]>
> Cc: [hidden email]
> Subject: RE: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer,
>
> it is a CentOS 6 box,
>
> br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6
> prefix
>
> might this be a problem?
>
> the results of "sysctl -a |grep forward|grep v6":
>
> net.ipv6.conf.all.forwarding = 1
> net.ipv6.conf.all.mc_forwarding = 0
> net.ipv6.conf.default.forwarding = 1
> net.ipv6.conf.default.mc_forwarding = 0
> net.ipv6.conf.lo.forwarding = 1
> net.ipv6.conf.lo.mc_forwarding = 0
> net.ipv6.conf.eth0.forwarding = 1
> net.ipv6.conf.eth0.mc_forwarding = 0
> net.ipv6.conf.eth1.forwarding = 1
> net.ipv6.conf.eth1.mc_forwarding = 0
> net.ipv6.conf.wlan0.forwarding = 1
> net.ipv6.conf.wlan0.mc_forwarding = 0
> net.ipv6.conf.br0.forwarding = 1
> net.ipv6.conf.br0.mc_forwarding = 0
> net.ipv6.conf.sit0.forwarding = 1
> net.ipv6.conf.sit0.mc_forwarding = 0
> net.ipv6.conf.sit1.forwarding = 1
> net.ipv6.conf.sit1.mc_forwarding = 0
>
> Greetings,
> Walter
>
> On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:
>> Hey Walter,
>>
>> I have ran basic tests which are not including direct internet access and
>> it seems like squid is intercepting traffic fine on a CentOS 7.
>> Try to use:
>> ip -f inet6 rule add fwmark 1 lookup 100
>> ip -f inet6 route add local default dev lo table 100
>>
>> ip6tables -t mangle -F
>> ip6tables -t mangle -F DIVERT
>> ip6tables -t mangle -X DIVERT
>> ip6tables -t mangle -N DIVERT
>> ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>> ip6tables -t mangle -A DIVERT -j ACCEPT
>>
>> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
>> TPROXY --on-port 3129 --tproxy-mark 0x1/0x1
>>
>> check the output of:
>> sysctl -a |grep forward|grep v6
>>
>> Since some of the setup you describe are "unusual" like "br0" I cannot
>> promise you how things will work and if they should work.
>> On a regular linux machine with regular interfaces it works fine.
>> I do get the basic "access denied" page from squid.
>> If this doesn't show up then I belive it's a routing level issue and maybe
>> sysctl will help to reveal couple things about the subject.
>>
>> All The Bests,
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: [hidden email]
>>
>>
>>
>> -----Original Message-----
>> From: Walter H. [mailto:[hidden email]]
>> Sent: Thursday, August 10, 2017 06:49
>> To: Eliezer Croitoru<[hidden email]>
>> Cc: [hidden email]
>> Subject: Re: [squid-users] IPv6 and TPROXY
>>
>> Hello Eliezer
>>
>> ip -6 rule is this
>>
>> 0:      from all lookup local
>> 32765:  from all fwmark 0x1 lookup 100
>> 32766:  from all lookup main
>>
>> the two commands where
>>
>> ip -f inet6 rule add fwmark 1 lookup 100
>> ip -f inet6 route add local default dev br0 table 100
>>
>> ip6tables-save is this
>> <BEGIN>
>>
>> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
>> *filter
>> :INPUT DROP [0:0]
>> :FORWARD DROP [0:0]
>> :OUTPUT DROP [0:0]
>> -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm
>> --to 84 -m tcp --dport 80 -j DROP
>> -A INPUT -m rt --rt-type 0 -j DROP
>> -A INPUT -m state --state INVALID -j DROP
>> -A INPUT -s fe80::/10 -j ACCEPT
>> -A INPUT -d ff00::/8 -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
>> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m
>> state --state NEW -j ACCEPT
>> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m
>> state --state NEW -j ACCEPT
>> -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -m rt --rt-type 0 -j DROP
>> -A FORWARD -m state --state INVALID -j DROP
>> -A FORWARD -i br0 -o br0 -j ACCEPT
>> -A FORWARD -i br0 -o sit1 -j ACCEPT
>> -A OUTPUT -m rt --rt-type 0 -j DROP
>> -A OUTPUT -m state --state INVALID -j DROP
>> -A OUTPUT -s fe80::/10 -j ACCEPT
>> -A OUTPUT -d ff00::/8 -j ACCEPT
>> -A OUTPUT -o lo -j ACCEPT
>> -A OUTPUT -o br0 -j ACCEPT
>> -A OUTPUT -o sit1 -j ACCEPT
>> COMMIT
>> # Completed on Thu Aug 10 05:26:04 2017
>> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
>> *mangle
>> :PREROUTING ACCEPT [43:6775]
>> :INPUT ACCEPT [104:10608]
>> :FORWARD ACCEPT [12:2567]
>> :OUTPUT ACCEPT [182:28756]
>> :POSTROUTING ACCEPT [194:31323]
>> :DIVERT - [0:0]
>> -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>> -A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport
>> 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark
>> 0x1/0x1
>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>> -A DIVERT -j ACCEPT
>> COMMIT
>> # Completed on Thu Aug 10 05:26:04 2017
>>
>> <END>
>>
>> Thanks,
>> Walter
>>
>> On 10.08.2017 02:18, Eliezer Croitoru wrote:
>>> Can you attach or paste\gist the output of:
>>> iptables-save
>>> ip6tables-save
>>> ip rule
>>> ??
>>> It will help to also see the tables which you use in conjunction to the
>>> "ip rule" based on the mark.
>>>
>>> Eliezer
>>>
>>> ----
>>> Eliezer Croitoru
>>> Linux System Administrator
>>> Mobile: +972-5-28704261
>>> Email: [hidden email]
>>>
>>>
>>> -----Original Message-----
>>> From: squid-users [mailto:[hidden email]] On
>>> Behalf Of Walter H.
>>> Sent: Tuesday, August 8, 2017 17:15
>>> To: [hidden email]
>>> Subject: [squid-users] IPv6 and TPROXY
>>>
>>> Hello,
>>>
>>> I did at the ip6tables like this:
>>> https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device
>>>
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>
>>> iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
>>>
>>> iptables -t mangle -A PREROUTING -i br0 -p tcp -d
>>> 2a02:1788:2fd::b2ff:5302
>>> --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port
>>> 3129
>>>
>>> in squid.conf I added
>>>
>>> http_port  ipv6lan:3129 tproxy
>>>
>>> I added the following also this rule to ip6tables
>>>
>>> iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
>>> -m state --state NEW -j ACCEPT
>>>
>>> when I have tcpdump run, I get this:
>>>
>>> 16:08:58.452533 IP6 ipv6host.37656>   2a02:1788:2fd::b2ff:5302.80: Flags
>>> [S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val
>>> 1875817945
>>> ecr 0,nop,wscale 5], length 0
>>> 16:08:58.452794 IP6 ipv6lan>   ipv6host: ICMP6, destination unreachable,
>>> unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88
>>>
>>> when doing:
>>>
>>> wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
>>> http://crl.usertrust.com/AddTrustExternalCARoot.crl
>>>
>>> (crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)
>>>
>>> what am I missing?
>>>
>>> Thanks
>>> Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Walter H.
Hello Eliezer

yes, because all my Linux systems are CentOS 6 ...

the router/firewall has a rule

-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j REJECT

any windows host inside this ipv6prefix has configured a proxy, but for
some reason e.g. there is HTTP traffic of CRLs or OCSP
that doesn't go through to the configured proxy, and is blocked ...
for this I need this TPROXY ...
(only IPv6 needs to be solved, IPv4 already runs perfekt)

Thanks,
Walter

On 13.08.2017 15:48, Eliezer Croitoru wrote:

> Hey,
>
> Is there a specific reason for the usage of CentOS 6?
> Also, do you need full tproxy featres or just to intercept the traffic?
>
> And Amos:
> Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible?
> Would the usage of:
> http://www.squid-cache.org/Doc/config/tcp_outgoing_address/
>
> override the tproxy function?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:[hidden email]]
> Sent: Saturday, August 12, 2017 22:03
> To: Eliezer Croitoru<[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer,
>
> not really,
> as I don't understand, which IP squid needs to listen to
>
> in my squid.conf I have this:
>
> # Squid normally listens to port 3128
> http_port 127.0.0.1:3128
> http_port [::1]:3128
> http_port 192.168.1.1:3128
> http_port [ipv6prefix::1]:3128
> # Transparent Squid listens to port 3129 (IPv4 only)
> http_port 192.168.1.1:3129 transparent
> http_port [ipv6prefix::1]:3129 tproxy<-- does it need this?
> http_port [::1]:3129 tproxy<-- or this?
>
> the transparent proxy with ipv4 works ...
>
> just had to add the following
>
> e.g.
> iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80
> -j DNAT --to-destination 192.168.1.1:3129
>
> with IPv6 it is more complicated ...
>
> especially which IP6TABLES rule is meant by Amos question?
>
> "I don't see anywhere in that INPUT list where the TPROXY'd traffic is
> permitted to reach Squid. "
>
> does this mean:
>
> e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I
> need to add
>
> ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j ACCEPT
> ?
>
> does this really need this two
> ip -6 ...
> commands, as I don't know what to add in a file in
> /etc/sysconfig/network-scripts ...
>
> Thanks,
> Walter
>
> On 12.08.2017 20:23, Eliezer Croitoru wrote:
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
Hey Walter,

From what I understood the only reason to use tproxy on CentOS 6 is since below kernel 3.18 and a specific version of iptables  there is not NAT table for ipv6.
There for you cannot use REDIRECT for ipv6 on these machines.
But in your case you don't need a full tproxy but something like NAT REDIRECT.
If you can manage to test a newer kernel with newer iptables it would be pretty simple to "resolve" the issue avoiding tproxy usage.
But if you cannot use another kernel and iptables what you would need it a partially tproxy setup.
IE: tproxy on the incoming port only but not use transparent on the outgoing traffic.

This is where Amos and Alex experience and knowledge should come in handy and can help you to setup you system the right way.

Else then the above(since tproxy works on both CentOS 6 and 7 but differently) you will need your system to be setup correctly.
If you want me to test I have no issue to do so but it will take time.

I recommend you to first start with an ACCEPT for all traffic on the machine and test.
Also make sure to use "netstat -ntlp" or "ss -ntlp" to see on what ip+port squid is listening.(make sure it's really listening on ipv6 addres)
The squid.conf
http_port 13129 tproxy

should result on an IPv6 listening port (::) and if not then it's probably due to something in the kernel level and you will need to define a specific IPv6 address with the port.

Since you have full control on the environment and windows clients please try the next software:
http://moodle.ngtech.co.il/software/2017/03/05/switch-ie-proxy/

to set the proxy for the machine.
It's one of MS recommended one and I use it on all my windows machines without any need for interception in any of the systems(win xp till 10).

I have tested it with CentOS 7 and in the past with CentOS 6 but it's like there are missing pieces in the whole setup.
When you will set the system iptables to only contain the very basics which are ACCEPT all traffic(both INPUT\OUPUT\FORWARD) you will be able to move forward in the stack into squid.

If all the above just doesn't work, let me know and I will try to test it with a new CentOS 6 to make sure it works as expected.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Walter H. [mailto:[hidden email]]
Sent: Sunday, August 13, 2017 21:31
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] IPv6 and TPROXY

Hello Eliezer

yes, because all my Linux systems are CentOS 6 ...

the router/firewall has a rule

-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j REJECT

any windows host inside this ipv6prefix has configured a proxy, but for
some reason e.g. there is HTTP traffic of CRLs or OCSP
that doesn't go through to the configured proxy, and is blocked ...
for this I need this TPROXY ...
(only IPv6 needs to be solved, IPv4 already runs perfekt)

Thanks,
Walter

On 13.08.2017 15:48, Eliezer Croitoru wrote:

> Hey,
>
> Is there a specific reason for the usage of CentOS 6?
> Also, do you need full tproxy featres or just to intercept the traffic?
>
> And Amos:
> Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible?
> Would the usage of:
> http://www.squid-cache.org/Doc/config/tcp_outgoing_address/
>
> override the tproxy function?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:[hidden email]]
> Sent: Saturday, August 12, 2017 22:03
> To: Eliezer Croitoru<[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer,
>
> not really,
> as I don't understand, which IP squid needs to listen to
>
> in my squid.conf I have this:
>
> # Squid normally listens to port 3128
> http_port 127.0.0.1:3128
> http_port [::1]:3128
> http_port 192.168.1.1:3128
> http_port [ipv6prefix::1]:3128
> # Transparent Squid listens to port 3129 (IPv4 only)
> http_port 192.168.1.1:3129 transparent
> http_port [ipv6prefix::1]:3129 tproxy<-- does it need this?
> http_port [::1]:3129 tproxy<-- or this?
>
> the transparent proxy with ipv4 works ...
>
> just had to add the following
>
> e.g.
> iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80
> -j DNAT --to-destination 192.168.1.1:3129
>
> with IPv6 it is more complicated ...
>
> especially which IP6TABLES rule is meant by Amos question?
>
> "I don't see anywhere in that INPUT list where the TPROXY'd traffic is
> permitted to reach Squid. "
>
> does this mean:
>
> e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I
> need to add
>
> ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j ACCEPT
> ?
>
> does this really need this two
> ip -6 ...
> commands, as I don't know what to add in a file in
> /etc/sysconfig/network-scripts ...
>
> Thanks,
> Walter
>
> On 12.08.2017 20:23, Eliezer Croitoru wrote:
>



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
In reply to this post by Walter H.
Any progress with the issue?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Walter H. [mailto:[hidden email]]
Sent: Sunday, August 13, 2017 21:31
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] IPv6 and TPROXY

Hello Eliezer

yes, because all my Linux systems are CentOS 6 ...

the router/firewall has a rule

-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j REJECT

any windows host inside this ipv6prefix has configured a proxy, but for
some reason e.g. there is HTTP traffic of CRLs or OCSP
that doesn't go through to the configured proxy, and is blocked ...
for this I need this TPROXY ...
(only IPv6 needs to be solved, IPv4 already runs perfekt)

Thanks,
Walter

On 13.08.2017 15:48, Eliezer Croitoru wrote:

> Hey,
>
> Is there a specific reason for the usage of CentOS 6?
> Also, do you need full tproxy featres or just to intercept the traffic?
>
> And Amos:
> Let say I want to intercept using tproxy but not use trpoxy for outgoing connections, would it be possible?
> Would the usage of:
> http://www.squid-cache.org/Doc/config/tcp_outgoing_address/
>
> override the tproxy function?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:[hidden email]]
> Sent: Saturday, August 12, 2017 22:03
> To: Eliezer Croitoru<[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer,
>
> not really,
> as I don't understand, which IP squid needs to listen to
>
> in my squid.conf I have this:
>
> # Squid normally listens to port 3128
> http_port 127.0.0.1:3128
> http_port [::1]:3128
> http_port 192.168.1.1:3128
> http_port [ipv6prefix::1]:3128
> # Transparent Squid listens to port 3129 (IPv4 only)
> http_port 192.168.1.1:3129 transparent
> http_port [ipv6prefix::1]:3129 tproxy<-- does it need this?
> http_port [::1]:3129 tproxy<-- or this?
>
> the transparent proxy with ipv4 works ...
>
> just had to add the following
>
> e.g.
> iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80
> -j DNAT --to-destination 192.168.1.1:3129
>
> with IPv6 it is more complicated ...
>
> especially which IP6TABLES rule is meant by Amos question?
>
> "I don't see anywhere in that INPUT list where the TPROXY'd traffic is
> permitted to reach Squid. "
>
> does this mean:
>
> e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I
> need to add
>
> ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
> --dport 80 -j ACCEPT
> ?
>
> does this really need this two
> ip -6 ...
> commands, as I don't know what to add in a file in
> /etc/sysconfig/network-scripts ...
>
> Thanks,
> Walter
>
> On 12.08.2017 20:23, Eliezer Croitoru wrote:
>



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Walter H.
Hello,

not really, I must live with the fact, that I can't configure tproxy, as
I can't update any kernel ...

Walter

On 19.08.2017 22:09, Eliezer Croitoru wrote:

> Any progress with the issue?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:[hidden email]]
> Sent: Sunday, August 13, 2017 21:31
> To: Eliezer Croitoru<[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer
>
> yes, because all my Linux systems are CentOS 6 ...
>
> the router/firewall has a rule
>
> -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
> -j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
> -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
> -j REJECT
>
> any windows host inside this ipv6prefix has configured a proxy, but for
> some reason e.g. there is HTTP traffic of CRLs or OCSP
> that doesn't go through to the configured proxy, and is blocked ...
> for this I need this TPROXY ...
> (only IPv6 needs to be solved, IPv4 already runs perfekt)
>
> Thanks,
> Walter
>
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
You can use tproxy but you will need to somehow make it so squid will do "NAT" instead of only tproxy or to findout what is causing the issue to happen in the network layer of the connection.
It can be a simple iptables rule which block traffic or another issue like rp_filter.
If you are up to it I will be willing to try and setup a more advanced ipv6 setup that might help to inspect the issue.

In the mean while I am missing one piece which maybe Amos can help with:
Is it possible to use tproxy for interception but force a non tproxy connection on the outgoing traffic?
I wrote such a proxy myself and I believe that there might be another solution to if nothing else would be found.

The other idea would be:
Use haproxy infront of the squid proxy to intercept traffic in the tcp level and pass to squid somehow the request via a proxy protocol enabled port.
I have used it in the past and it should be fine for port 80 but for 443 it's a whole other thing.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Walter H. [mailto:[hidden email]]
Sent: Saturday, August 19, 2017 23:23
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] IPv6 and TPROXY

Hello,

not really, I must live with the fact, that I can't configure tproxy, as
I can't update any kernel ...

Walter

On 19.08.2017 22:09, Eliezer Croitoru wrote:

> Any progress with the issue?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:[hidden email]]
> Sent: Sunday, August 13, 2017 21:31
> To: Eliezer Croitoru<[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer
>
> yes, because all my Linux systems are CentOS 6 ...
>
> the router/firewall has a rule
>
> -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
> -j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
> -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
> -j REJECT
>
> any windows host inside this ipv6prefix has configured a proxy, but for
> some reason e.g. there is HTTP traffic of CRLs or OCSP
> that doesn't go through to the configured proxy, and is blocked ...
> for this I need this TPROXY ...
> (only IPv6 needs to be solved, IPv4 already runs perfekt)
>
> Thanks,
> Walter
>
>



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Amos Jeffries
Administrator
On 20/08/17 12:08, Eliezer Croitoru wrote:
> You can use tproxy but you will need to somehow make it so squid will do "NAT" instead of only tproxy or to findout what is causing the issue to happen in the network layer of the connection.
> It can be a simple iptables rule which block traffic or another issue like rp_filter.
> If you are up to it I will be willing to try and setup a more advanced ipv6 setup that might help to inspect the issue.
>
> In the mean while I am missing one piece which maybe Amos can help with:
> Is it possible to use tproxy for interception but force a non tproxy connection on the outgoing traffic?

I'm not sure what problem that would solve. If TPROXY is not working
fully it wont magically start half-working.

AFAICS, Walters problem with TPROXY is that his firewall rules are setup
for accepting only traffic with 2001::/16 IP addresses. With TPROXY the
original 2a02::/16 IP remains present so the rules based on 2001::/16
wont let the traffic into the proxy.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
I am still waiting for couple answers about the system and the setup.
Also to resolve the issue it will be required to know if the issue is on squid side or the kernel side(ipv6 related) or iptables rules.
All of the above will allow us to help Walter make this system work.

And Amos, about the part of avoiding using tproxy for the outgoing traffic and only use it to intercept the connections:
For a CentOS 6 system it's the only option to run an INTERCEPT proxy which hides the client IPv6 address so I think it's something that need to be documented somewhere in the wiki.
I would be happy to write the article if I would have known how to disable tproxy for the outgoing traffic.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Sunday, August 20, 2017 03:45
To: [hidden email]
Subject: Re: [squid-users] IPv6 and TPROXY

On 20/08/17 12:08, Eliezer Croitoru wrote:
> You can use tproxy but you will need to somehow make it so squid will do "NAT" instead of only tproxy or to findout what is causing the issue to happen in the network layer of the connection.
> It can be a simple iptables rule which block traffic or another issue like rp_filter.
> If you are up to it I will be willing to try and setup a more advanced ipv6 setup that might help to inspect the issue.
>
> In the mean while I am missing one piece which maybe Amos can help with:
> Is it possible to use tproxy for interception but force a non tproxy connection on the outgoing traffic?

I'm not sure what problem that would solve. If TPROXY is not working
fully it wont magically start half-working.

AFAICS, Walters problem with TPROXY is that his firewall rules are setup
for accepting only traffic with 2001::/16 IP addresses. With TPROXY the
original 2a02::/16 IP remains present so the rules based on 2001::/16
wont let the traffic into the proxy.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Amos Jeffries
Administrator
On 20/08/17 23:47, Eliezer Croitoru wrote:
> I am still waiting for couple answers about the system and the setup.
> Also to resolve the issue it will be required to know if the issue is on squid side or the kernel side(ipv6 related) or iptables rules.
> All of the above will allow us to help Walter make this system work.
>
> And Amos, about the part of avoiding using tproxy for the outgoing traffic and only use it to intercept the connections:
> For a CentOS 6 system it's the only option to run an INTERCEPT proxy which hides the client IPv6 address so I think it's something that need to be documented somewhere in the wiki.

CentOS 6 still supplies kernel 2.6.32 apparently. Issues with those
kernels are listed in the TPROXY wiki page:
"
TPROXYv4 support reached a usable form in 2.6.28. However several
Kernels have various known bugs:

  * 2.6.28 to 2.6.32 have different rp_filter configuration. The
rp_filter settings (0 or 1) for these kernels will silently block TPROXY
if used on newer kernels.
  * 2.6.28 to 2.6.36 are known to have ICMP and TIME_WAIT issues.
  * 2.6.32 to 2.6.34 have bridging issues on some systems.
"



> I would be happy to write the article if I would have known how to disable tproxy for the outgoing traffic.

There is nothing to document, it is not configurable.

When one is stuck with an ancient kernel the available modern features
are naturally rather limited.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: IPv6 and TPROXY

Eliezer Croitoru
Hey Amos,

Leaving aside with very old kernels, I still don't know if this setup works in the routing level not to speak about tproxy interception.

The known issues are not relevant for the case if I will be able to test it and make sure the issue doesn’t apply to the latest CentOS 6 kernels.

Also even if CentOS have ancient kernel from the 2.X era it doesn't mean that more advanced OS versions are not affected by the same or similar issues.
CentOS 7 now uses 3.10 Linux kernel and it's not an ancient Kernel but also not the tip or mainline.

Also from what I have seen in the CentOS 7 and RHEL 7 and Netfilter man pages and other documentation it seems that a tproxy socket (IP_TRANSPARENT ie 19) is required for both trpoxy and REDIRECT ip6tables targets to work properly.

I have yet to test the REDIRECT with ipv6 on a CentOS 7 and I am not sure how it should\would work(even if it compiles..).
With ipv4 you would have used SO_ORIGINAL on the socket to know the original remote address but with tproxy and IP_TRANSPARENT based sockets from what I remember you had to use another option to know the original destination address.
It should be something like "get local address" of the socket(for tproxy) is the equivalent to get_sock_opt(..SO_ORIGINAL..).

Until I will try to test the ipv6 REDIRECT with squid intercept I will not know if it works the same as the ipv4 redirect and what the recommendation should be for general usage in the socket level and squid level.

And if there is no other option then using a transparent proxy socket for both tproxy and REDIRECT targets then the outgoing ip address for traffic usage should be configurable using some fast acls(leaving aside this specific thread use case).

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Amos Jeffries [mailto:[hidden email]]
Sent: Sunday, August 20, 2017 18:32
To: Eliezer Croitoru <[hidden email]>; [hidden email]
Subject: Re: [squid-users] IPv6 and TPROXY

On 20/08/17 23:47, Eliezer Croitoru wrote:
> I am still waiting for couple answers about the system and the setup.
> Also to resolve the issue it will be required to know if the issue is on squid side or the kernel side(ipv6 related) or iptables rules.
> All of the above will allow us to help Walter make this system work.
>
> And Amos, about the part of avoiding using tproxy for the outgoing traffic and only use it to intercept the connections:
> For a CentOS 6 system it's the only option to run an INTERCEPT proxy which hides the client IPv6 address so I think it's something that need to be documented somewhere in the wiki.

CentOS 6 still supplies kernel 2.6.32 apparently. Issues with those
kernels are listed in the TPROXY wiki page:
"
TPROXYv4 support reached a usable form in 2.6.28. However several
Kernels have various known bugs:

  * 2.6.28 to 2.6.32 have different rp_filter configuration. The
rp_filter settings (0 or 1) for these kernels will silently block TPROXY
if used on newer kernels.
  * 2.6.28 to 2.6.36 are known to have ICMP and TIME_WAIT issues.
  * 2.6.32 to 2.6.34 have bridging issues on some systems.
"



> I would be happy to write the article if I would have known how to disable tproxy for the outgoing traffic.

There is nothing to document, it is not configurable.

When one is stuck with an ancient kernel the available modern features
are naturally rather limited.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
12
Loading...