Fully Transparent Interception with Squid-2, TPROXYv2 and WCCP
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
This is a work in progress (read: a place for Adrian to jot down TPROXY documentation notes as he's coming up with the authoritative documentation.)
The following documentation applies to Squid-2 WCCPv2 support and TPROXYv2 support running on a Linux box. If you have a newer version of the exact configuration options may differ.
Balabit now only support TPROXY v4.1 which has been integrated with the 3.1 squid code (see Features/Tproxy4)
The configuration for Squid-3.1 is very different than the following documentation.
(stuff from emails from Steve Wilton)
The kernel and iptables need to be patched with the tproxy patches (and the tproxy include file needs to be placed in /usr/include/linux/netfilter_ipv4/ip_tproxy.h or include/netfilter_ipv4/ip_tproxy.h in the squid src tree).
TThe iptables rule needs to use the TPROXY target (instead of the REDIRECT target) to redirect the port 80 traffic to the proxy. Ie:
iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80
The kernel must strip the GRE header from the incoming packets (either using the ip_wccp module, or by having a GRE tunnel set up in linux pointing at the router (no GRE setup is required on the router)).
wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80
It is highly recommended that the above definitions be used for the two wccp services, otherwise things will break if you have more than 1 cache (specifically, you will have problems when the a web server's name resolves to multiple ip addresses).
The http_port that you are redirecting to must have the transparent and tproxy options enabled as follows (modify the port as appropriate):
http_port 80 transparent tproxy
There _must_ be a tcp_outgoing address defined. This will need to be valid to satisfy any non-tproxied connections.
On the router, you need to make sure that all traffic going to/from the customer will be processed by _both_ wccp rules. The way we have implemented this is to apply wccp service 80 to all traffic coming in from a customer-facing interface, and wccp service 90 applied to all traffic going out a customer-facing interface. We have also applied the wccp "exclude-in" rule to all traffic coming in from the proxy-facing interface. Ie:
interface GigabitEthernet0/3.100 description ADSL customers encapsulation dot1Q 502 ip address x.x.x.x y.y.y.y ip wccp 80 redirect in ip wccp 90 redirect out interface GigabitEthernet0/3.101 description Dialup customers encapsulation dot1Q 502 ip address x.x.x.x y.y.y.y ip wccp 80 redirect in ip wccp 90 redirect out interface GigabitEthernet0/3.102 description proxy servers encapsulation dot1Q 506 ip address x.x.x.x y.y.y.y ip wccp redirect exclude in
It's highly recommended to turn httpd_accel_no_pmtu_disc on in the squid conf.
If you have some clients who set their proxy, it is recommended to use a separate port in squid for transparent/tproxy requests compared to clients with proxies set.
The tproxy support in Squid-2.6 does not need to be run as root. It maintains root capabilities for network requests at all times (allowing the tproxy patch to work), without the need to maintain all root capabilities.
I would like to add the following to my previous list of requirements for tproxy + wccpv2:
- You must make sure rp_filter is disabled in the kernel
- You must make sure ip_forwarding is enabled in the kernel
Can you please check that you've enabled ip_forwarding in your kernel. If that doesn't work, I don't know if the "vhost vport=80" is required in the http_port line in the squid config (we don't have these options enabled on our proxies).
I use the ip_wccp module to make the kernel handle the GRE packets correctly (which works slightly differently from the ip_gre module). Do you have a GRE tunnel set up in linux? If so, what command are you running to set it up? I don't have an example to give you here, but I'm sure other people are using the ip_gre module with wccp to handle the GRE packets, and should be able to help.
(reply from the user)
finally it work....
Here is my step :
* install squid-2.6.s1 + FD-patch_from_you + cttproxy-patch from balabit for kernel & iptables tproxy
* create gre tunnel
insmod ip_gre ifconfig gre0 <use ip address within loopback0 router subnet> up
disable rp_filter & enable forwarding
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward
- iptables :
iptables -t tproxy -A PREROUTING -p tcp -m tcp -i gre0 --dport 80 -j TPROXY --on-port 80
- squid.conf :
http_port 80 transparent tproxy vhost vport=80 always_direct allow all wccp2_router y.y.y.y wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80
- router config (cisco):
ip wccp 80 ip wccp 90 int fasteth0 -->ip wccp 90 redirect out (gateway to internet) int fasteth1 -->ip wccp 80 redirect out (my client gateway) int fasteth3 -->ip wccp redirect exclude in (squid-box attached here)
check-up access.log --> yes it is increments log check-up my pc by opening whatismyipaddress.com --> yes it is my pc's ip
Now, I will try tuning-up my box & squid.conf tommorow
TPROXY patch homepage: http://www.balabit.com/support/community/products/tproxy/
A useful script to test: http://devel.squid-cache.org/cgi-bin/test