Enhancement #2967
Transparent proxy: switch iplementation from TPROXY to REDIRECT
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-squid | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | No |
Description
Current implementation of transparent proxy is based on TPROXY.
TPROXY does not modify the IP header so the firewall can be use in bridged mode to scan all passing traffic without modifying any network configuration in the target environment.
But this implementation has some drawbacks:
TPROXY does not modify the IP header so the firewall can be use in bridged mode to scan all passing traffic without modifying any network configuration in the target environment.
But this implementation has some drawbacks:
- it can't correctly handle squidGuard redirect directives (#2958)
- it's hard to create transparent bypass based on source and destination (#2503)
The REDIRECT implementation will largely simplify firewall configuration and it will address above problems.
Thus, this implementation can't be used in bridged mode, but this scenario is not supported from the underlying system for now.
Related issues
Associated revisions
templates: remove TPROXY use REDIRCT. Refs #2967
shorewall: redirect https to port 3130. Refs #2967
History
#1 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.5
- % Done changed from 0 to 20
#2 Updated by Giacomo Sanchietti over 6 years ago
- Related to Feature #2503: Web proxy: bypass rules based on destination and source added
#3 Updated by Giacomo Sanchietti over 6 years ago
- Related to Enhancement #2958: squidGuard: support multiple profiles added
#4 Updated by Giacomo Sanchietti over 6 years ago
- Category changed from nethserver-squid to <multiple packages>
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#5 Updated by Giacomo Sanchietti over 6 years ago
- Subject changed from Transparent proxy: switch iplementation from TPROXY to DNAT to Transparent proxy: switch iplementation from TPROXY to REDIRECT
- Description updated (diff)
#6 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#7 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
Package in nethserver-testing:
nethserver-squid-1.2.0-18.0gitcfbd3944.ns6.noarch.rpm- nethserver-squid-1.2.0-20.0git1a759fc7.ns6.noarch.rpm
- Enable proxy in transparent mode on green interface
- Enable proxy in transparent mode on blue interface
- Check clients on both networks can surf through the proxy
#8 Updated by Giacomo Sanchietti over 6 years ago
- Category changed from <multiple packages> to nethserver-squid
#9 Updated by Giacomo Sanchietti over 6 years ago
From Filippo on #2958:
In squid.conf https port is 3130, but shorewall redirects to 3129.
--- 90squid 2014-12-05 15:49:52.000000000 +0100 +++ /etc/e-smith/templates/etc/shorewall/rules/90squid 2014-12-04 20:02:19.230206865 +0100 @@ -64,7 +64,7 @@ $OUT.="REDIRECT\tloc$bypass_src_str\t3129\ttcp\t80\t-\t$bypass_dst_str\n"; if ($green_mode =~ /ssl/) { $OUT .="?COMMENT transparent proxy on green for port 443\n"; - $OUT.="REDIRECT\tloc$bypass_src_str\t3129\ttcp\t443\t-\t$bypass_dst_str\n"; + $OUT.="REDIRECT\tloc$bypass_src_str\t3130\ttcp\t443\t-\t$bypass_dst_str\n"; } } @@ -84,7 +84,7 @@ $OUT.="REDIRECT\tblue$bypass_src_str\t3129\ttcp\t80\t-\t$bypass_dst_str\n"; if ($blue_mode =~ /ssl/) { $OUT .="?COMMENT transparent proxy on blue for port 443\n"; - $OUT.="REDIRECT\tloc$bypass_src_str\t3129\ttcp\t443\t-\t$bypass_dst_str\n"; + $OUT.="REDIRECT\tloc$bypass_src_str\t3130\ttcp\t443\t-\t$bypass_dst_str\n"; } } }
#10 Updated by Giacomo Sanchietti over 6 years ago
New package in nethserver-testing:
- nethserver-squid-1.2.1.1-1.ns6.noarch.rpm
#11 Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Tested with transparent on green, I can surf.
iptables nat table has a redirect to port 3129 for port 80 and 3130 for port 443.
Looking at templates, I think that blue will work, but not tested.
#12 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released in nethserver-updates:
- squid-3.3.13-1.el6.x86_64.rpm
- nethserver-squid-1.3.0-1.ns6.noarch.rpm