Last week I examined squid webproxy code to understand how this tproxy thing works. I realized that developers get most of tproxy code in kernel. So in user level, all you have to create a socket:*
get its IP_TRANSPARENT(19) options set:
and bind it with required spoofing address:
after all of these, when you connect someones listening port, they will see your ip address as spoofed. But ofcourse you need to have your kernel compiled with TPROXY support.
Reason of why i dig this out is that, I need to run squid in tproxied chain mode on the same machine. When I made quick search the web, everyone says squid only operates in tproxied mode as long as it gets request from iptables. So how do we create a setup like [squid] --> [dansquardian] --> [squid] with tproxy? I asked this question to Amos Jeffries and he replied that they added this feature to squid 3.2 but haven't test it.
I tested this out and I can say it works like a charm.
I configured two squid named squid-1 and squid-2. Squid-1 is the initial one which gets the request from iptables redirection.
In squid-1 configuration file:
In squid-2 configuration file:
Please be warned to allow follow_x_forwarded_for only for necessary ones. It will cause to security leak in your setup.
You can add dansguardian process between these two squid by redirecting flow to dansguardian port with cache_peer option.
Of course you also need to configure dansguardian to send requests to squid-2.
You can reach how to configure other things such as iptables, ebtables by this link.
blog comments powered by Disqus