tproxy support (iptables & squid)

I agree, this would be a very welcome addition to the kernel, please consider it.

TPROXY would make an Ubuntu server good for any purpose, but without it is very difficult to build a totally transparent proxy as mentioned by PatRiehecky. I've been trying to patch a gutsy server with TPROXY but haven't been able to get it to work ... I'm a Linux n00b so that probably explains my lack of success (any advice would be welcome).

Having TPROXY support out of the box would be just fantastic ... please, please!

Probably too late for intrepid. Sorry will revisit again for jaunty.

Regards
chuck

Developers at the recent netfilter summit "concluded" that patch-o-matic was likely to go away, though tproxy development looks interesting.

this tproxy support out of the box would be excellent addition to ubuntu server! i'm newbie and for me it's too hard to patch kernel and iptables in order to make the tproxy works.

i need the ipspoofing from tproxy so that the squid will forward the ip client address to the router therefore the bandwidth management in router will still be able to do its work. but if the squid transfer the client request with its proxy ip address, then the bandwidth management will fail.

TPROXY support has been integrated upstream in the upcoming Squid 3.1, iptables 1.4.3, and kernel 2.6.28.

Keen testers are invited to locate the latest code for each of the three and provide feedback on how it goes. Should now be a simple matter of finding the right build options and configuration settings.

anyluck with tproxy supported out of the box for ubuntu??

i really need it as squidbox so the mikrotik routeros can still manage client bandwidth for their connection using their own ip address through in and out of the squidbox.

chrone wrote:
> anyluck with tproxy supported out of the box for ubuntu??
>
> i really need it as squidbox so the mikrotik routeros can still manage
> client bandwidth for their connection using their own ip address through
> in and out of the squidbox.
>

What I'm doing is working towards unofficial upstream package builds
that people can install for the testing versions. They will likely not
be directly available through the normal distro packaging systems.

I'm not going to be bundling squid as anything but squid.

It will be done some day, but not immediately. If you want an early
build or a specially named binary or package immediately, you will have
to make it yourself. Thats easy enough nowdays.

The Squid FAQ has the set of options for correct Debian,Ubuntu
environment locations:
  http://wiki.squid-cache.org/SquidFaq

Amos

thanks Amos. i'll try to build one from the wiki whenever i have spare time. :)

My PPA now contains beta squid3 packages with this and other new features enabled. Some features require a 2.6.28+ kernel so only Jaunty and later are provided.

I have not been able to test the TPROXY support works with currently available kernel or iptables. But its enabled in these Squid3 packages and I expect it to work if the kernel capabilities are there.

There are still bugs to be worked out of 3.1, but they seem to work for me so far in normal use.

Happy testing.

Upstream fix was released well before this bug was created. We are only awaiting some Debian/Ubuntu specific fixes and QA to process the feature.

@ Fail2Ban: please do not assign tags without first reading https://wiki.ubuntu.com/Bugs/Tags
Thanks in advance!

In Lucid, SQUID 3.0.19-STABLE has support a tproxy, but in version this is incompatible with ipv6, so to work the package has compiled with "--disable-ipv6".

If try use tproxy, then have error:
===
FATAL: Bungled squid.conf line 45: http_port 3129 tproxy
Squid Cache (Version 3.0.STABLE19): Terminated abnormally.
===

squid-3.0 series has nothing to do with IPv6. both disable and enable are missing and irrelevant.

squid-3.0 series support is TPROXYv2 only and is not able to be used or even built against the Lucid kernel which supports a minimum of TPROXYv4.

The newer 3.1 series Squid is required for both IPv6 and TPROXYv4 support.

how to install squid tproxy with precompiled kernel and iptables to do the forwarding client's ip address to the router in order to make the router bandwidth management works?

where's the link of your PPA? i would give it a try on hardy or lucid box. would love to have tproxy support out of the box from ubuntu. really helps with mikrotik router bandwidth management :)

In my profile can be found https://launchpad.net/~yadi/+archive/ppa
Hardy does not provide the required kernel version or libraries.
There have been two reports that it does not work with Lucid, but I have not been able to track down exactly why not.

oh i see. so what's version of ubuntu does tproxy really works?

thanks for the link dude :)

Natty now ships with 3.1.10 which is supposed to be fine. Is anyone interested in this bug please able to confirm/deny whether that package has working tproxy on a standard Ubuntu install?

This should be in 1.4.12-1ubuntu1. Marking Fix Released.

i'm sorry for this long testing your package Amos, didn't have the time to play with.

i'm using oneiric and your squid3 package right now. started squid with http_port 3128 and http_port 3129 tproxy.

i assume do we have to compile the kernel for oneiric? or is it support out of the box?

i will try to compile the kernel tomorrow, and should i need to recompile iptables too? i only want to use it as not transaparent, but has the ability to ip spoofing ip client to mikrotik router only.

2011/12/14 21:00:41| Starting Squid Cache version 3.1.15 for i686-pc-linux-gnu...
2011/12/14 21:00:41| Process ID 2452
2011/12/14 21:00:41| With 65535 file descriptors available
2011/12/14 21:00:41| Initializing IP Cache...
2011/12/14 21:00:41| DNS Socket created at [::], FD 7
2011/12/14 21:00:41| DNS Socket created at 0.0.0.0, FD 8
2011/12/14 21:00:41| Adding nameserver 192.168.3.1 from /etc/resolv.conf
2011/12/14 21:00:41| Unlinkd pipe opened on FD 13
2011/12/14 21:00:41| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2011/12/14 21:00:41| Store logging disabled
2011/12/14 21:00:41| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2011/12/14 21:00:41| Target number of buckets: 1008
2011/12/14 21:00:41| Using 8192 Store buckets
2011/12/14 21:00:41| Max Mem size: 262144 KB
2011/12/14 21:00:41| Max Swap size: 0 KB
2011/12/14 21:00:41| Using Least Load store dir selection
2011/12/14 21:00:41| Set Current Directory to /var/spool/squid3
2011/12/14 21:00:41| Loaded Icons.
2011/12/14 21:00:41| Accepting spoofing HTTP connections at [::]:3129, FD 14.
2011/12/14 21:00:41| Accepting HTTP connections at [::]:3128, FD 15.
2011/12/14 21:00:41| HTCP Disabled.
2011/12/14 21:00:41| Squid plugin modules loaded: 0
2011/12/14 21:00:41| Adaptation support is off.
2011/12/14 21:00:41| Ready to serve requests.
2011/12/14 21:00:42| storeLateRelease: released 0 objects

it's accepting spoofing connection but could not spoof the ip, i guess i have to recompile the kernel from source. hope it works tomorrow! woohoo!

You should not have to recompile the kernel if its accepting connections through TPROXY properly. Double-check the IPs squid is identifying as the client IP though to make sure that arrival is happening correctly.

We found a small bit alignment bug in the 3.2 series not setting the spoof flag correctly on some systems, which caused this same behaviour. I thought 3.1 was okay but I will take a closer look later today to double check whether 3.1 has a similar regression.

Even if it's only fixed in 3.2, can you provide a version number where it's definitely fixed?

i checked through mikrotik routeros, when the client accessing internet, it used the squid ip address (192.168.1.142), not the client (192.168.3.97). the squid is running the latest version of ubuntu 11.10 oneiric with your squid patch.