[Firehol-support] squid tproxy support

David Touzeau david at articatech.com
Sun Mar 29 14:59:59 CEST 2015 

Proxy is installed on the box

The rule

tproxy 80 port 3128 uid not "root squid"
make the following error

[140482.748558] x_tables: ip_tables: owner match: used from hooks 
PREROUTING, but only valid from OUTPUT/POSTROUTING


SO i have defined ip addresses instead
The Tproxy correctly hook packets but the proxy is not able to get 
connected to the remote web server, i did not know why

It answers:
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: 
http://www.ibm.com/
Connection to 23.52.8.238 failed.
The system returned: (110) Connection timed out

In squid.conf:
http_port 0.0.0.0:3128 tproxy


Here it is the configuration file.


version 5
#Trusted Networks
FIREHOL_AUTOSAVE="/home/artica/firewall/firehol-saved-ipv4.txt"
FIREHOL_LOG_PREFIX="FIREHOL:"
FIREHOL_TPROXY_MARK="0xffff"
FIREHOL_TPROXY_IP_ROUTE_TABLE="999"

# * * * * Transparent Proxy * * * *
# eth0 192.168.1.229, eth1 10.28.0.1
# Tproxy: 1
tproxy 80 port 3128 ip 127.0.0.1 src not "192.168.1.229 10.28.0.1"

interface4 lo NETlo
         client all accept
         policy accept


interface4 eth0 NETeth0
         client all accept
         policy accept


interface4 eth1 NETeth1
         client all accept
         policy accept


interface4 eth2 NETeth2
         client all accept
         policy accept


router4 eth12eth0 inface eth1 outface eth0
         masquerade
         server dhcp deny
         route all accept
         client all accept

router4 eth02eth1 inface eth0 outface eth1
         server dhcp deny
         route all accept
         client all accept

router4 lo2lo inface lo outface lo
         route all accept
         client all accept
         policy accept

router4 eth12eth1 inface eth1 outface eth1
         route all accept
         client all accept
         policy accept



Le 29/03/2015 09:55, Phil Whineray a écrit :
> Hi
>
> On Sun, Mar 29, 2015 at 01:32:05AM +0100, David Touzeau wrote:
>> tproxy 80 port 3128
> ...
>
>> How to set the rule in order to prevent catching proxy requests itself ?
> You have to identify the proxy traffic in some way and exclude it
> with optional rule parameters.
>
> Since your proxy is on the local host, then the most likely choice
> is to exclude either the source IP address or more likely still,
> specific users (only locally generated traffic can be matched by user).
>
> Something like this should work, assuming your proxy runs as user squid,
> and also allow root unproxied traffic:
>
>    tproxy 80 port 3128 uid not "root squid"
>
> Cheers
> Phil

More information about the Firehol-support mailing list