Skip to main content

routing - Getting Squid and TPROXY with IPv6 working on CentOS 7

I'm having trouble getting TPROXY working with Squid and
IPv6 on a CentOS 7 server. I was previously using a generic intercept setup with NAT,
but it was limited to IPv4 only. I'm now expanding the setup to include IPv6 with
TPROXY.



I've been using the official Squid wiki
article on the subject to configure
everything:



href="http://wiki.squid-cache.org/Features/Tproxy4"
rel="noreferrer">http://wiki.squid-cache.org/Features/Tproxy4




Thus
far the TPROXY config appears to be working for IPv4 with no issues. With IPv6 however
connections are timing out and not working properly. I'll break down the setup for
better understanding.



Note all firewall and
routing rules are exactly the same for IPv4, the only difference is
inet6 and ip6tables for configuring
IPv6 based rules in the examples
below.




  • OS and Kernel:
    CentOS 7 (3.10.0-229.14.1.el7.x86_64)

  • All packages are up
    to date according to yum

  • Squid Version: 3.3.8 (Also tried
    3.5.9)

  • Firewall: iptables/ip6tables
    1.4.21


  • libcap-2.22-8.el7.x86_64



IPv6
connectivity is currently through a 6in4 tunnel via Hurricane Electric, this is
configured on the DD-WRT router and then the assigned prefix delegated to clients via
radvd. The Squid box has several static IPv6 addresses
configured.



The Squid box sits within the main
LAN which it is serving. Clients that are having traffic on port 80 intercepted (mainly
wireless clients) are being pushed to the Squid box via my DD-WRT router with the
following firewall and routing rules, adapted from the Policy Routing wiki article and
DD-WRT wiki





This appears
to be working OK in terms of passing the traffic to the Squid box. One additional rule I
had to add on the DD-WRT router in addition to the above was an exception rule for the
configured outgoing IPv4 and IPv6 addresses on the Squid box, otherwise I get a crazy
loop issue and traffic gets broken for all clients including the main LAN that uses
Squid on
3128.




ip6tables
            -t mangle -I PREROUTING -p tcp --dport 80 -s "$OUTGOING_PROXY_IPV6" -j
            ACCEPT


On the Squid
box I am then using the following routing rules and the DIVERT chain to handle the
traffic accordingly. I needed to add additional rules to prevent any errors with the
chain already existing during testing. My firewall is CSF, I
have added the following to
csfpre.sh



ip
            -f inet6 route flush table 100
ip -f inet6 rule del fwmark 1 lookup
            100

ip -f inet6 rule add fwmark 1 lookup
            100

ip -f inet6 route add local default dev eno1 table
            100

ip6tables -t mangle -F
ip6tables -t mangle
            -X
ip6tables -t mangle -N DIVERT

ip6tables -t mangle -A
            DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j
            ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j
            DIVERT
ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
            --tproxy-mark 0x1/0x1 --on-port
            3129



squid.conf
is configured for two
ports:



http_proxy
            3128
http_proxy 3129
            tproxy


In addition I
am also using Privoxy and had to add no-tproxy to my cache_peer
line, otherwise all traffic was unable to be forwarded for both
protocols.




cache_peer
            localhost parent 8118 7 no-tproxy no-query
            no-digest


I am not
using any tcp_outgoing_address directives because of Privoxy,
instead I am controlling the outbound addresses through CentOS and the bind
order.



sysctl
values:



net.ipv4.ip_forward
            = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter
            = 0

net.ipv4.conf.eno1.rp_filter =
            0


I am not sure if the
rp_filter modifications are needed as the setup works on IPv4
with or without them and produces the same result for
IPv6.



SELINUX



SELINUX
is enabled on the Squid box, but policies have been configured to allow the TPROXY
setup, so its not being blocked (IPv4 working shows this anyway). I have checked with
grep squid /var/log/audit/audit.log | audit2allow -a and get
matches>



#=============
            squid_t ==============


#!!!! This avc is allowed in the
            current policy
allow squid_t self:capability
            net_admin;

#!!!! This avc is allowed in the current
            policy
allow squid_t self:capability2
            block_suspend;

#!!!! This avc is allowed in the current
            policy
allow squid_t unreserved_port_t:tcp_socket
            name_connect;



I
have also set the following
booleans:



setsebool
            squid_connect_any 1
setsebool squid_use_tproxy
            1


Broken IPv6
connectivity



Ultimately, IPv6 connectivity is
completely broken for TPROXY clients (LAN clients on port 3128
which use a WPAD/PAC file have fully working IPv6). While it appears the traffic is
being routed to the Squid box in some way, no requests over IPv6 via TPROXY are
appearing in the access.log. All IPv6 requests both literal
IPv6 and DNS, timeout. I can access internal IPv6 clients but again, this traffic isn't
logged either.




I did some testing
using test-ipv6.com and found that it detected my outgoing Squid IPv6 address but the
IPv6 tests either showed as bad/slow or timeout. I temporarily enabled the via header
and found the Squid HTTP header was visible, so the traffic is at least getting to the
Squid box but not being routed properly once its
there.



I've been trying to get this to work for
some time and cannot find what the problem is, I've even asked on the Squid mailing
list, but have been unable to diagnose the actual issue or solve it. Based on my
testing, I'm pretty sure its one of the following areas and the Squid box the
problem:




  • Routing

  • Kernel

  • Firewall




Any
ideas and additional steps that I can take to get TPROXY and IPv6 working would be
greatly appreciated!



Additional
information



ip6tables
rules:



Chain
            PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT
            tcp ::/0 ::/0 socket

TPROXY tcp ::/0 ::/0 tcp dpt:80 TPROXY
            redirect :::3129 mark 0x1/0x1

Chain INPUT (policy
            ACCEPT)
target prot opt source destination

Chain FORWARD
            (policy ACCEPT)
target prot opt source destination

Chain
            OUTPUT (policy ACCEPT)
target prot opt source
            destination


Chain POSTROUTING (policy
            ACCEPT)
target prot opt source destination

Chain DIVERT
            (1 references)
target prot opt source destination
MARK all ::/0 ::/0
            MARK set 0x1
ACCEPT all ::/0
            ::/0



IPv6
routing table (prefix
obscured)



unreachable
            ::/96 dev lo metric 1024 error -101
unreachable ::ffff:0.0.0.0/96 dev lo
            metric 1024 error -101
2001:470:xxxx:xxx::5 dev eno1 metric 0
 cache
            mtu 1480
2001:470:xxxx:xxx:b451:9577:fb7d:6f2d dev eno1 metric 0

            cache
2001:470:xxxx:xxx::/64 dev eno1 proto kernel metric
            256
unreachable 2002:a00::/24 dev lo metric 1024 error
            -101

unreachable 2002:7f00::/24 dev lo metric 1024 error
            -101
unreachable 2002:a9fe::/32 dev lo metric 1024 error
            -101
unreachable 2002:ac10::/28 dev lo metric 1024 error
            -101
unreachable 2002:c0a8::/32 dev lo metric 1024 error
            -101
unreachable 2002:e000::/19 dev lo metric 1024 error
            -101
unreachable 3ffe:ffff::/32 dev lo metric 1024 error
            -101
fe80::/64 dev eno1 proto kernel metric 256
default via
            2001:470:xxxx:xxxx::1 dev eno1 metric
            1

Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits, ...
Post a Comment
Read more

linux - Awstats - outputting stats for merged Access_logs only producing stats for one server's log

I've been attempting this for two weeks and I've accessed countless number of sites on this issue and it seems there is something I'm not getting here and I'm at a lost. I manged to figure out how to merge logs from two servers together. (Taking care to only merge the matching domains together) The logs from the first server span from 15 Dec 2012 to 8 April 2014 The logs from the second server span from 2 Mar 2014 to 9 April 2014 I was able to successfully merge them using the logresolvemerge.pl script simply enermerating each log and > out_putting_it_to_file Looking at the two logs from each server the format seems exactly the same. The problem I'm having is producing the stats page for the logs. The command I've boiled it down to is /usr/share/awstats/tools/awstats_buildstaticpages.pl -configdir=/home/User/Documents/conf/ -config=example.com awstatsprog=/usr/share/awstats/wwwroot/cgi-bin/awstats.pl dir=/home/User/Documents/parced -month=all -year=all...
Post a Comment
Read more