[Firehol-support] squid tproxy support

Tsaousis, Costa costa at tsaousis.gr
Sun Mar 29 14:59:00 BST 2015 

Hi all,

TPROXY support has never been tested.
The relative ticket is this:

https://github.com/ktsaou/firehol/issues/25

David, can we please move this discussion there? (just post your last
mail there, so that you will subscribe to follow up the discussion of
the ticket - of course you will need a github account if you don't
already have one).

I'll try to figure out what is happening and help you set it up and
also close the ticket.

Costa


On Sun, Mar 29, 2015 at 3:59 PM, David Touzeau <david at articatech.com> wrote:
>
> Proxy is installed on the box
>
> The rule
>
> tproxy 80 port 3128 uid not "root squid"
> make the following error
>
> [140482.748558] x_tables: ip_tables: owner match: used from hooks
> PREROUTING, but only valid from OUTPUT/POSTROUTING
>
>
> SO i have defined ip addresses instead
> The Tproxy correctly hook packets but the proxy is not able to get connected
> to the remote web server, i did not know why
>
> It answers:
> ERROR
> The requested URL could not be retrieved
> The following error was encountered while trying to retrieve the URL:
> http://www.ibm.com/
> Connection to 23.52.8.238 failed.
> The system returned: (110) Connection timed out
>
> In squid.conf:
> http_port 0.0.0.0:3128 tproxy
>
>
> Here it is the configuration file.
>
>
> version 5
> #Trusted Networks
> FIREHOL_AUTOSAVE="/home/artica/firewall/firehol-saved-ipv4.txt"
> FIREHOL_LOG_PREFIX="FIREHOL:"
> FIREHOL_TPROXY_MARK="0xffff"
> FIREHOL_TPROXY_IP_ROUTE_TABLE="999"
>
> # * * * * Transparent Proxy * * * *
> # eth0 192.168.1.229, eth1 10.28.0.1
> # Tproxy: 1
> tproxy 80 port 3128 ip 127.0.0.1 src not "192.168.1.229 10.28.0.1"
>
> interface4 lo NETlo
>         client all accept
>         policy accept
>
>
> interface4 eth0 NETeth0
>         client all accept
>         policy accept
>
>
> interface4 eth1 NETeth1
>         client all accept
>         policy accept
>
>
> interface4 eth2 NETeth2
>         client all accept
>         policy accept
>
>
> router4 eth12eth0 inface eth1 outface eth0
>         masquerade
>         server dhcp deny
>         route all accept
>         client all accept
>
> router4 eth02eth1 inface eth0 outface eth1
>         server dhcp deny
>         route all accept
>         client all accept
>
> router4 lo2lo inface lo outface lo
>         route all accept
>         client all accept
>         policy accept
>
> router4 eth12eth1 inface eth1 outface eth1
>         route all accept
>         client all accept
>         policy accept
>
>
>
>
> Le 29/03/2015 09:55, Phil Whineray a écrit :
>>
>> Hi
>>
>> On Sun, Mar 29, 2015 at 01:32:05AM +0100, David Touzeau wrote:
>>>
>>> tproxy 80 port 3128
>>
>> ...
>>
>>> How to set the rule in order to prevent catching proxy requests itself ?
>>
>> You have to identify the proxy traffic in some way and exclude it
>> with optional rule parameters.
>>
>> Since your proxy is on the local host, then the most likely choice
>> is to exclude either the source IP address or more likely still,
>> specific users (only locally generated traffic can be matched by user).
>>
>> Something like this should work, assuming your proxy runs as user squid,
>> and also allow root unproxied traffic:
>>
>>    tproxy 80 port 3128 uid not "root squid"
>>
>> Cheers
>> Phil
>
>

More information about the Firehol-support mailing list