[Firehol-support] squid tproxy support

Tsaousis, Costa costa at tsaousis.gr
Sun Mar 29 15:23:42 BST 2015 

I just posted a comment at https://github.com/ktsaou/firehol/issues/25
explaining what FireHOL does.

David I am waiting for your comments.

Thanks.


On Sun, Mar 29, 2015 at 4:59 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi all,
>
> TPROXY support has never been tested.
> The relative ticket is this:
>
> https://github.com/ktsaou/firehol/issues/25
>
> David, can we please move this discussion there? (just post your last
> mail there, so that you will subscribe to follow up the discussion of
> the ticket - of course you will need a github account if you don't
> already have one).
>
> I'll try to figure out what is happening and help you set it up and
> also close the ticket.
>
> Costa
>
>
> On Sun, Mar 29, 2015 at 3:59 PM, David Touzeau <david at articatech.com> wrote:
>>
>> Proxy is installed on the box
>>
>> The rule
>>
>> tproxy 80 port 3128 uid not "root squid"
>> make the following error
>>
>> [140482.748558] x_tables: ip_tables: owner match: used from hooks
>> PREROUTING, but only valid from OUTPUT/POSTROUTING
>>
>>
>> SO i have defined ip addresses instead
>> The Tproxy correctly hook packets but the proxy is not able to get connected
>> to the remote web server, i did not know why
>>
>> It answers:
>> ERROR
>> The requested URL could not be retrieved
>> The following error was encountered while trying to retrieve the URL:
>> http://www.ibm.com/
>> Connection to 23.52.8.238 failed.
>> The system returned: (110) Connection timed out
>>
>> In squid.conf:
>> http_port 0.0.0.0:3128 tproxy
>>
>>
>> Here it is the configuration file.
>>
>>
>> version 5
>> #Trusted Networks
>> FIREHOL_AUTOSAVE="/home/artica/firewall/firehol-saved-ipv4.txt"
>> FIREHOL_LOG_PREFIX="FIREHOL:"
>> FIREHOL_TPROXY_MARK="0xffff"
>> FIREHOL_TPROXY_IP_ROUTE_TABLE="999"
>>
>> # * * * * Transparent Proxy * * * *
>> # eth0 192.168.1.229, eth1 10.28.0.1
>> # Tproxy: 1
>> tproxy 80 port 3128 ip 127.0.0.1 src not "192.168.1.229 10.28.0.1"
>>
>> interface4 lo NETlo
>>         client all accept
>>         policy accept
>>
>>
>> interface4 eth0 NETeth0
>>         client all accept
>>         policy accept
>>
>>
>> interface4 eth1 NETeth1
>>         client all accept
>>         policy accept
>>
>>
>> interface4 eth2 NETeth2
>>         client all accept
>>         policy accept
>>
>>
>> router4 eth12eth0 inface eth1 outface eth0
>>         masquerade
>>         server dhcp deny
>>         route all accept
>>         client all accept
>>
>> router4 eth02eth1 inface eth0 outface eth1
>>         server dhcp deny
>>         route all accept
>>         client all accept
>>
>> router4 lo2lo inface lo outface lo
>>         route all accept
>>         client all accept
>>         policy accept
>>
>> router4 eth12eth1 inface eth1 outface eth1
>>         route all accept
>>         client all accept
>>         policy accept
>>
>>
>>
>>
>> Le 29/03/2015 09:55, Phil Whineray a écrit :
>>>
>>> Hi
>>>
>>> On Sun, Mar 29, 2015 at 01:32:05AM +0100, David Touzeau wrote:
>>>>
>>>> tproxy 80 port 3128
>>>
>>> ...
>>>
>>>> How to set the rule in order to prevent catching proxy requests itself ?
>>>
>>> You have to identify the proxy traffic in some way and exclude it
>>> with optional rule parameters.
>>>
>>> Since your proxy is on the local host, then the most likely choice
>>> is to exclude either the source IP address or more likely still,
>>> specific users (only locally generated traffic can be matched by user).
>>>
>>> Something like this should work, assuming your proxy runs as user squid,
>>> and also allow root unproxied traffic:
>>>
>>>    tproxy 80 port 3128 uid not "root squid"
>>>
>>> Cheers
>>> Phil
>>
>>

More information about the Firehol-support mailing list