Setup Squid Tproxy Bridge CentOS 6.3


Skenario:
Router bandwidth management:192.168.99.1 — eth0:[Squid TPROXY Bridge(br0=192.168.99.15)]:eth1 — clients:192.168.99.x/24

 
I. Konfigurasi Network interfaces
-Install bridge-utils
# yum -y install bridge-utils

-Make bridge interface br0 then save
# vi /etc/sysconfig/network-scripts/ifcfg-br0

DEVICE=br0
ONBOOT=yes
TYPE=Bridge
BOOTPROTO=static
IPADDR=192.168.99.15
NETMASK=255.255.255.0
GATEWAY=192.168.99.1
DNS1=192.168.99.5
DNS2=192.168.99.6
DNS3=192.168.99.1


 
-Setting interface eth0 with no IP
# vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"
BOOTPROTO="none"
HWADDR="A2:AC:86:64:4C:D4"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
UUID="cbe96c60-5467-4982-b884-b4aca07a995f"
BRIDGE=br0

 
-Setting interface eth1 with no IP
# vi /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE="eth1"
BOOTPROTO="none"
HWADDR="B6:49:8A:62:AD:92"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
UUID="320472d8-755e-4192-b520-da6bc7e8ebb1"
#IPADDR=192.168.99.11
#NETMASK=255.255.255.0
BRIDGE=br0

 
-Setting IP DNS:
# vi /etc/resolv.conf

nameserver 192.168.99.5
nameserver 192.168.99.6

 
-Setting /etc/hosts
# vi /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.99.15	cumi.bachem.local	cumi

 
-Restart Network
# service network restart

 
II. Install & configure Squid
-Install squid
# yum -y install squid

-Configure Squid
# cp /etc/squid/squid.conf /etc/squid/squid.conf.asli
# vi /etc/squid/squid.conf
Configure as you need & put this script:

http_port 3128
http_port 3129 tproxy

 
-Set Permision Squid
# chown -R squid.squid /var/log/squid/
# chown -R squid.squid /var/spool/squid/
# chown -R squid.squid /etc/squid/

-Start service and make run at startup
# service squid start
# chkconfig squid on

 
III. Routing Configuration
The routing features in your kernel also need to be configured to enable correct handling of the intercepted packets. Both arriving and leaving your system.

-Disable system-config-firewall
# system-config-firewall-tui
Uncheck Enabled => OK

-Routing Configuration if IPv4-only
# ip -f inet rule add fwmark 1 lookup 100
# ip -f inet route add local default dev lo table 100

-Routing Configuration if IPv6-only
# ip -f inet6 rule add fwmark 1 lookup 100
# ip -f inet6 route add local default dev eth0 table 100

-Put into rc.local to running above scripts at boot
# vi /etc/rc.d/rc.local

ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100
ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev eth0 table 100

 
Note:
Every OS has different security and limitations around what you can do here.
-some systems require that lo is the interface TPROXY uses.
-some systems require that an ethN is the interface TPROXY uses.
-some systems require that each receiving interface have its own unique table.
-Some OS block multiple interfaces being linked to the table. You will see a rejected route when a second ip -f inet route is added to the table. To erase the custom route entry repeat the rule with del instead of add.

-On each boot startup set:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter

Or configure /etc/sysctl.conf:
# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.br0.rp_filter = 0

 
-Iptables to accept access to squid bridge machine port 80 (ie. lightsquid)
# iptables -t mangle -A PREROUTING -p tcp -d 192.168.99.15 --dport 80 -j ACCEPT

-Iptables on a Router device
# iptables -t mangle -N DIVERT
# iptables -t mangle -A DIVERT -j MARK --set-mark 1
# iptables -t mangle -A DIVERT -j ACCEPT
# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

-Save iptables command,restart service & make service run at boot
# service iptables save
# service iptables restart
# chkconfig iptables on

-Install ebtables
# yum -y install ebtables

-Setup ebtables ipv4 on a Bridging device
# ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
# ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP

Setup ebtables ipv6 on a Bridging device
# ebtables -t broute -A BROUTING -i eth1 -p ipv6 --ip6-proto tcp --ip6-dport 80 -j redirect --redirect-target DROP
# ebtables -t broute -A BROUTING -i eth0 -p ipv6 --ip6-proto tcp --ip6-sport 80 -j redirect --redirect-target DROP

Save ebtables command, restart service & make service run at boot
# service ebtables save
# service ebtables restart
# chkconfig ebtables on

Done!! Reboot machine,test browsing/download from clients and check tproxy work or not in /var/log/squid/access.log and your ip address clients should show in your bandwidth management router..

 
References:
http://www.scribd.com/doc/20428716/Bridge-Mode-Proxy-Configuration
http://wiki.squid-cache.org/Features/Tproxy4
http://wiki.squid-cache.org/ConfigExamples/Intercept/CentOsTproxy4?action=show&redirect=ConfigExamples%2FTPROXYPatchingCentOS

5 thoughts on “Setup Squid Tproxy Bridge CentOS 6.3

  1. Simon

    Hi.
    Thanks for the post. It helped me to get started.

    But i encountered an error. The device behind the bridge does not connect to port 80 websites. Squid and dansguardian did not show anything in their access.log. But if a set the Proxy manually to br0-ip/3129 it magically works. Do you know what could be the problem. I am using CentOS6.4 and use the same settings as you, except that i have an additional eth for the management network.

    Reply
    1. bachem Post author

      Hi Simon,
      Maybe your ebtables configuration, 1st stop ebtables service, delete ebtables file in /etc/sysconfig/ebtables, run those command again try to change over -i option with your other eth port that you have setup to bridge mode,last reboot your machine, hope it work…

      Reply
  2. Simon

    The ebtables are working i think. I put a -j LOG in iptables and i see the incoming http request. So i think ebtables -> iptables works. But iptables -> TRPOXY. I triefd updating iptables to 1.4.18 as the squid website states 1.4.10 is neede (http://wiki.squid-cache.org/Features/Tproxy4). I also updated the kernel to 2.6.39 because it says there could be routing problems with 2.6.32. Next i try to -j LOG the marked packages

    Reply
    1. Vadim

      Hello, Simon.
      I had the same issue and worked hard on it.
      Try to resolve this by installing libcap-devel package. In my case TRPOXY mechanism began to work fine.

      Reply
      1. Marv

        Hi Simon, were you able to make this work in 6.3? iptables and ebtables to work ok but squid is not logging any access.

        Hi Vadim, I did install libcap-devel package but I notice that squid-tproxy is not accepting any traffic.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *