tproxy on ubuntu 10.10 How to
Refer http://wiki.squid-cache.org/Features/Tproxy4
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
modprobe ip_tables
modprobe iptable_filter
modprobe ipt_TPROXY
modprobe ipt_tproxy
=======================
config on /etc/sysctrl.conf
net.ipv4.conf.default.rp_filter=2
net.ipv4.conf.all.rp_filter=2
net.ipv4.ip_forward=1
=============================
Add in /etc/rc.local
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 5/sec -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
================================
#squid3 config
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow manager
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_reply_access allow all
http_port 3129 tproxy
tcp_outgoing_address 0.0.0.0
udp_incoming_address 0.0.0.0
udp_outgoing_address 0.0.0.0
icp_port 0
via off
forwarded_for off
log_mime_hdrs off
httpd_suppress_version_string on
ie_refresh on
cache_mem 256 MB
maximum_object_size_in_memory 16 KB
cache_dir ufs /var/spool/squid3/cache1 1000 16 256
cache_dir ufs /var/spool/squid3/cache2 1000 16 256
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
minimum_object_size 0 KB
maximum_object_size 40960 KB
mime_table /usr/share/squid3/mime.conf
logformat common %{%Y-%m-%d %H:%M:%S}tl %6tr %>a %Ss/%03>Hs %access_log /var/log/squid3/access.log common
cache_log /var/log/squid3/cache.log
cache_store_log none
logfile_rotate 5
log_mime_hdrs off
shutdown_lifetime 5 seconds
log_icp_queries off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 1440 20% 14400
cache_mgr webmaster
cache_effective_user proxy
cache_effective_group proxy
pid_filename /var/run/squid3.pid
coredump_dir /var/cache/squid3
==========
url http://wiki.squid-cache.org/Features/Tproxy4
check squid support
squid 3.1 = squid3 -v | grep "enable-linux-netfilter"
kernel 2.6.35 up
iptable 1.4.1
=======================
sample log and netstat
root@ThinkPad:~# tail -f /var/log/squid3/access.log
2012-02-08 17:08:18 267 192.168.2.200 TCP_MISS/200 3410 GET http://l.yimg.com/cv/ae/us/yahoo/111031/120x45liw942fx1.jpg - DIRECT/216.115.100.102 image/jpeg
2012-02-08 17:08:18 347 192.168.2.200 TCP_MISS/200 1539 GET http://l1.yimg.com/a/i/ww/met/pa_icons_18/twitter_new_20101222.gif - DIRECT/216.115.100.102 image/gif
2012-02-08 17:08:18 24 192.168.2.200 TCP_HIT/200 3070 GET http://l.yimg.com/a/i/mntl/aut/09q4/def_aa9d6007.jpg - NONE/- image/jpeg
2012-02-08 17:08:19 562 192.168.2.200 TCP_MISS/200 3440 GET http://l.yimg.com/cv/ip/ap/default/120207/bikeman_sec.jpg - DIRECT/216.115.100.102 image/jpeg
2012-02-08 17:08:19 1 192.168.2.200 TCP_HIT/200 2577 GET http://l.yimg.com/a/i/ww/met/sprite_videoicon_20100201_ltr.png - NONE/- image/png
2012-02-08 17:08:19 861 192.168.2.200 TCP_MISS/200 5836 GET http://l1.yimg.com/cv/ip/ap/default/120207/moreno2_sm.jpg - DIRECT/216.115.100.102 image/jpeg
2012-02-08 17:08:19 886 192.168.2.200 TCP_MISS/200 6500 GET http://l1.yimg.com/cv/ip/ap/default/120207/maria_sm.jpg - DIRECT/216.115.100.102 image/jpeg
2012-02-08 17:08:19 913 192.168.2.200 TCP_MISS/200 3467 GET http://l.yimg.com/cv/ip/ap/default/120208/syria_sc.jpg - DIRECT/216.115.100.102 image/jpeg
root@ThinkPad:~# netstat -tuanp | grep squid
tcp 0 0 0.0.0.0:3129 0.0.0.0:* LISTEN 1805/(squid)
tcp 0 0 110.164.205.140:80 192.168.2.200:51088 ESTABLISHED 1805/(squid)
tcp 0 0 192.168.2.200:47416 216.115.100.102:80 ESTABLISHED 1805/(squid)
tcp 0 0 192.168.2.200:38141 216.115.100.102:80 ESTABLISHED 1805/(squid)
tcp 0 0 192.168.2.200:50905 216.115.100.102:80 ESTABLISHED 1805/(squid)
tcp 0 0 110.164.205.143:80 192.168.2.200:51120 ESTABLISHED 1805/(squid)
tcp 0 0 216.115.100.103:80 192.168.2.200:51133 ESTABLISHED 1805/(squid)
tcp 0 0 192.168.2.200:43751 216.115.100.102:80 ESTABLISHED 1805/(squid)
check via squidclient
ReplyDeleteroot@ubuntu:/home# squidclient -p 3129 mgr:info
HTTP/1.0 200 OK
Server: squid
Mime-Version: 1.0
Date: Thu, 16 Feb 2012 10:09:25 GMT
Content-Type: text/plain
Expires: Thu, 16 Feb 2012 10:09:25 GMT
Last-Modified: Thu, 16 Feb 2012 10:09:25 GMT
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:3129
Connection: close
Squid Object Cache: Version 3.1.11
Start Time: Thu, 16 Feb 2012 08:31:29 GMT
Current Time: Thu, 16 Feb 2012 10:09:25 GMT
Connection information for squid:
Number of clients accessing cache: 2
Number of HTTP requests received: 1452
Number of ICP messages received: 0
Number of ICP messages sent: 0
Number of queued ICP replies: 0
Number of HTCP messages received: 0
Number of HTCP messages sent: 0
Request failure ratio: 0.00
Average HTTP requests per minute since start: 14.8
Average ICP messages per minute since start: 0.0
Select loop called: 218061 times, 26.946 ms avg
Cache information for squid:
Hits as % of all requests: 5min: 22.9%, 60min: 21.3%
Hits as % of bytes sent: 5min: 34.3%, 60min: 20.1%
Memory hits as % of hit requests: 5min: 0.0%, 60min: 4.4%
Disk hits as % of hit requests: 5min: 75.0%, 60min: 90.6%
Storage Swap size: 205660 KB
Storage Swap capacity: 5.0% used, 95.0% free
Storage Mem size: 3204 KB
Storage Mem capacity: 1.2% used, 98.8% free
Mean Object Size: 27.96 KB
Requests given to unlinkd: 2
Median Service Times (seconds) 5 min 60 min:
HTTP Requests (All): 0.42149 0.28853
Cache Misses: 0.49576 0.49576
Cache Hits: 0.01098 0.00286
Near Hits: 0.00000 0.00000
Not-Modified Replies: 0.00000 0.00091
DNS Lookups: 0.04639 0.06364
ICP Queries: 0.00000 0.00000
Resource usage for squid:
UP Time: 5875.809 seconds
CPU Time: 5.116 seconds
CPU Usage: 0.09%
CPU Usage, 5 minute avg: 0.05%
CPU Usage, 60 minute avg: 0.08%
Process Data Segment Size via sbrk(): 9268 KB
Maximum Resident Size: 82032 KB
Page faults with physical i/o: 2
Memory usage for squid via mallinfo():
Total space in arena: 9400 KB
Ordinary blocks: 9359 KB 31 blks
Small blocks: 0 KB 0 blks
Holding blocks: 26784 KB 10 blks
Free Small blocks: 0 KB
Free Ordinary blocks: 40 KB
Total in use: 36143 KB 100%
Total free: 40 KB 0%
Total size: 36184 KB
Memory accounted for:
Total accounted: 5908 KB 16%
memPool accounted: 5908 KB 16%
memPool unaccounted: 30275 KB 84%
memPoolAlloc calls: 374129
memPoolFree calls: 380838
File descriptor usage for squid:
Maximum number of file descriptors: 65535
Largest file desc currently in use: 27
Number of file desc currently in use: 22
Files queued for open: 0
Available number of file descriptors: 65513
Reserved number of file descriptors: 100
Store Disk files open: 0
Internal Data Structures:
7384 StoreEntries
640 StoreEntries with MemObjects
637 Hot Object Cache Items
7355 on-disk objects
root@ubuntu:/home#