Pejman Moghadam / Slackware

Slackware 12.2 - Installing TPROXY Squid 3.1.5.1 with linux router

Public domain


kernel 2.6.28.3

cd /usr/src
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.3.tar.bz2
tar jxf linux-2.6.28.3.tar.bz2
ln -sfn linux-2.6.28.3 linux
cd linux
cp /boot/config .config
make menuconfig
    Load an Alternate Configuration File 
        .config
            Ok
-*- Networking support  --->
        Networking options  ---> 
            [*] Network packet filtering framework (Netfilter)  --->
                Core Netfilter Configuration  --->
                    <M>   Transparent proxying support (EXPERIMENTAL)
                    <M>   "TPROXY" target support (EXPERIMENTAL)
                    <M>   "recent" match support
                    [*]     Enable obsolete /proc/net/ipt_recent
                    <M>   "socket" match support (EXPERIMENTAL)
make all && make modules_install
/bin/cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.28.3
/bin/cp System.map /boot/System.map-2.6.28.3
/bin/cp .config /boot/config-2.6.28.3

/etc/lilo.conf

boot = /dev/hda
  bitmap = /boot/slack.bmp
  bmp-colors = 255,0,255,0,255,0
  bmp-table = 60,6,1,16
  bmp-timer = 65,27,0,255
append=" vt.default_utf8=0"
prompt
timeout = 50
lba32
default = S12-2.6.28.3
vga = 791
image = /boot/vmlinuz
  root = /dev/hda2
  label = Slackware12.2
  read-only
image = /boot/vmlinuz-2.6.28.3
  root = /dev/hda2
  label = S12.2-2.6.28.3
  read-only

new kernel startup

lilo
reboot

libcap 2.16

cd /usr/src
wget http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.16.tar.gz
tar zxf libcap-2.16.tar.gz
cd libcap-2.16
make && make install

iptables 1.4.3

cd /usr/src
wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.3.tar.bz2
tar jxf iptables-1.4.3.tar.bz2
cd iptables-1.4.3
./configure --prefix=/usr && make
removepkg iptables
make install
reboot

squid 3.1.5.1

vi /usr/include/bits/typesizes.h
      #define __FD_SETSIZE            16384
cd /usr/src
wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.5.1.tar.gz 
tar zxf squid-3.1.5.1.tar.gz
cd squid-3.1.5.1
ulimit -HSn 16384
ulimit -HSd unlimited
declare -x CPPFLAGS="-I../libltdl"
./configure \
  --prefix=/usr/local/squid \
  --enable-forward-log \
  --enable-follow-x-forwarded-for \
  --enable-snmp \
  --enable-linux-netfilter \
  --enable-http-violations \
  --enable-delay-pools \
  --enable-storeio=diskd,aufs,ufs \
  --with-large-files \
  --enable-large-cache-files \
  --with-filedescriptors=16384 \
  --enable-async-io=128 \
  --enable-removal-policies=lru,heap \
  --enable-useragent-log \
  --enable-referer-log \
  --enable-err-languages=English \
  --enable-default-err-language=English \
&& make && make install
cp /usr/local/squid/etc/squid.conf{,.bak}

/usr/local/squid/etc/squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 80.191.195.0/24 78.38.32.0/24 78.38.34.0/24 217.218.229.128/26 217.218.230.111
http_access allow our_networks
http_access allow localhost
http_access deny all
icp_access deny all
http_port 3128 tcpkeepalive=60,10,6
http_port 3129 tproxy tcpkeepalive=60,10,6
hierarchy_stoplist cgi-bin ? dll aspx
cache_mem 2000 MB
maximum_object_size_in_memory 64 KB
cache_replacement_policy heap LFUDA
cache_dir aufs /cache/1 51200 16 256 max-size=262144
cache_dir aufs /cache/2 51200 16 256 max-size=524288
cache_dir aufs /cache/3 51200 16 256 max-size=2097152
cache_dir aufs /cache/4 51200 16 256
maximum_object_size 102400 KB
cache_swap_high 100
cache_swap_low 95
logformat squid  %tl.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /usr/local/squid/var/logs/access.log squid
acl watchdog src 80.191.195.17
log_access deny watchdog
logfile_rotate 0
refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://office\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w2ksp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://download\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://download\.macromedia\.com/ 0 80% 20160 reload-into-ims
refresh_pattern ftp://ftp\.nai\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://ftp\.software\.ibm\.com/ 0 80% 20160 reload-into-ims
refresh_pattern         cgi-bin         1 20% 2
refresh_pattern         \.asp$          1 20% 2
refresh_pattern         \.acgi$         1 20% 2
refresh_pattern         \.cgi$          1 20% 2
refresh_pattern         \.pl$           1 20% 2
refresh_pattern         \.shtml$        1 20% 2
refresh_pattern         \.php3$         1 20% 2
refresh_pattern         \?              1 20% 2
refresh_pattern         \.gif$          10080   90%     43200 reload-into-ims
refresh_pattern         \.jpg$          10080   90%     43200 reload-into-ims
refresh_pattern         \.bom\.gov\.au     30   20%       120 reload-into-ims
refresh_pattern         \.html$           480   50%     22160 reload-into-ims
refresh_pattern         \.htm$            480   50%     22160 reload-into-ims
refresh_pattern         \.class$        10080   90%     43200 reload-into-ims
refresh_pattern         \.zip$          10080   90%     43200 reload-into-ims
refresh_pattern         \.jpeg$         10080   90%     43200 reload-into-ims
refresh_pattern         \.mid$          10080   90%     43200 reload-into-ims
refresh_pattern         \.shtml$          480   50%     22160 reload-into-ims
refresh_pattern         \.exe$          10080   90%     43200 reload-into-ims
refresh_pattern         \.thm$          10080   90%     43200 reload-into-ims
refresh_pattern         \.wav$          10080   90%     43200 reload-into-ims
refresh_pattern         \.txt$          10080   90%     43200 reload-into-ims
refresh_pattern         \.cab$          10080   90%     43200 reload-into-ims
refresh_pattern         \.au$           10080   90%     43200 reload-into-ims
refresh_pattern         \.mov$          10080   90%     43200 reload-into-ims
refresh_pattern         \.xbm$          10080   90%     43200 reload-into-ims
refresh_pattern         \.ram$          10080   90%     43200 reload-into-ims
refresh_pattern         \.avi$          10080   90%     43200 reload-into-ims
refresh_pattern         \.chtml$          480   50%     22160 reload-into-ims
refresh_pattern         \.thb$          10080   90%     43200 reload-into-ims
refresh_pattern         \.dcr$          10080   90%     43200 reload-into-ims
refresh_pattern         \.bmp$          10080   90%     43200 reload-into-ims
refresh_pattern         \.phtml$          480   50%     22160 reload-into-ims
refresh_pattern         \.mpg$          10080   90%     43200 reload-into-ims
refresh_pattern         \.pdf$          10080   90%     43200 reload-into-ims
refresh_pattern         \.art$          10080   90%     43200 reload-into-ims
refresh_pattern         \.swf$          10080   90%     43200 reload-into-ims
refresh_pattern         \.mp3$          10080   90%     43200 reload-into-ims
refresh_pattern         \.ra$           10080   90%     43200 reload-into-ims
refresh_pattern         \.spl$          10080   90%     43200 reload-into-ims
refresh_pattern         \.viv$          10080   90%     43200 reload-into-ims
refresh_pattern         \.doc$          10080   90%     43200 reload-into-ims
refresh_pattern         \.gz$           10080   90%     43200 reload-into-ims
refresh_pattern         \.Z$            10080   90%     43200 reload-into-ims
refresh_pattern         \.tgz$          10080   90%     43200 reload-into-ims
refresh_pattern         \.tar$          10080   90%     43200 reload-into-ims
refresh_pattern         \.vrm$          10080   90%     43200 reload-into-ims
refresh_pattern         \.vrml$         10080   90%     43200 reload-into-ims
refresh_pattern         \.aif$          10080   90%     43200 reload-into-ims
refresh_pattern         \.aifc$         10080   90%     43200 reload-into-ims
refresh_pattern         \.aiff$         10080   90%     43200 reload-into-ims
refresh_pattern         \.arj$          10080   90%     43200 reload-into-ims
refresh_pattern         \.c$            10080   90%     43200 reload-into-ims
refresh_pattern         \.cpt$          10080   90%     43200 reload-into-ims
refresh_pattern         \.dir$          10080   90%     43200 reload-into-ims
refresh_pattern         \.dxr$          10080   90%     43200 reload-into-ims
refresh_pattern         \.hqx$          10080   90%     43200 reload-into-ims
refresh_pattern         \.jpe$          10080   90%     43200 reload-into-ims
refresh_pattern         \.lha$          10080   90%     43200 reload-into-ims
refresh_pattern         \.lzh$          10080   90%     43200 reload-into-ims
refresh_pattern         \.midi$         10080   90%     43200 reload-into-ims
refresh_pattern         \.movie$        10080   90%     43200 reload-into-ims
refresh_pattern         \.mp2$          10080   90%     43200 reload-into-ims
refresh_pattern         \.mpe$          10080   90%     43200 reload-into-ims
refresh_pattern         \.mpeg$         10080   90%     43200 reload-into-ims
refresh_pattern         \.mpga$         10080   90%     43200 reload-into-ims
refresh_pattern         \.pl$           10080   90%     43200 reload-into-ims
refresh_pattern         \.ppt$          10080   90%     43200 reload-into-ims
refresh_pattern         \.ps$           10080   90%     43200 reload-into-ims
refresh_pattern         \.qt$           10080   90%     43200 reload-into-ims
refresh_pattern         \.qtm$          10080   90%     43200 reload-into-ims
refresh_pattern         \.ras$          10080   90%     43200 reload-into-ims
refresh_pattern         \.sea$          10080   90%     43200 reload-into-ims
refresh_pattern         \.sit$          10080   90%     43200 reload-into-ims
refresh_pattern         \.tif$          10080   90%     43200 reload-into-ims
refresh_pattern         \.tiff$         10080   90%     43200 reload-into-ims
refresh_pattern         \.snd$          10080   90%     43200 reload-into-ims
refresh_pattern         \.wrl$          10080   90%     43200 reload-into-ims
refresh_pattern         ^ftp:           1440    60%     22160
refresh_pattern         ^gopher:        1440    20%     1440
refresh_pattern      -i (cgi-bin|\?)    0       0%      0
refresh_pattern         .               480     50%     22160 reload-into-ims
quick_abort_min 32 KB
quick_abort_max 32 KB
quick_abort_pct 95
negative_ttl 3 minutes
positive_dns_ttl 15 hours
request_header_max_size 100 KB
cache_mgr Pejman_Moghadam@yahoo.com
visible_hostname SohaCache
acl mrtg src 80.191.195.17 127.0.0.1
acl snmppublic snmp_community public
snmp_access allow snmppublic mrtg
snmp_access deny all
snmp_port 3401
#dns_children 200
ipcache_size 10240
coredump_dir /usr/local/squid/var/cache
forwarded_for transparent
via off

/etc/rc.d/rc.squid

#!/bin/bash
#
# /etc/rc.d/rc.squid
#
# Start/stop/restart the Squid web caching server.
#
# To make Squid start automatically at boot, make this
# file executable: chmod +x /etc/rc.d/rc.squid
#
PIDFILE="/usr/local/squid/var/run/squid.pid"

start()
{
  echo -n 'Starting TPROXY Squid . . . '

  PROCESS=$(ps -A | egrep ' squid$')
  if [ "$PROCESS" == "" ]; then
    if [ -f ${PIDFILE} ] ; then
      rm ${PIDFILE}
    fi
  fi
  echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
  ulimit -HSn 16384
  ulimit -HSd unlimited
  /usr/local/squid/sbin/squid

  echo "Ok"
}

stop()
{
  echo 'Stoping TPROXY Squid'

  /usr/local/squid/sbin/squid -k shutdown
  time=0
  while [ $time != "300" ] ; do
    time=`expr $time + 1`
    echo -n $time
    if [ ! -f ${PIDFILE} ] ; then
      break
    else
      echo -n "."
    fi
    sleep 1
  done

  echo ". .Ok"
}

case "$1" in
  'start')
    start
    ;;

  'stop')
    stop
    ;;

  'restart')
    stop
    start
    ;;

  'rotate')
    echo -n 'Rotating TPROXY Squid log files . . . '
    /usr/local/squid/sbin/squid -k rotate
    echo "Ok"
    ;;

  *)
    echo "usage $0 start|stop|restart|rotate"
    ;;

esac

/usr/local/sbin/tproxy-divert

#!/bin/bash

# Config
TCPHIT="255"
SEC="1"

# Flush mangle table
iptables -t mangle -F
iptables -t mangle -X
sleep 1

# Load recent module
KERNEL_VERSION=$(uname -r)
RECENT_MODULE=$(basename $(find /lib/modules/${KERNEL_VERSION} -iname "*recent.ko") .ko)
/sbin/rmmod $RECENT_MODULE
/sbin/modprobe $RECENT_MODULE ip_list_tot=2048 ip_pkt_list_tot=255 ip_list_hash_size=0

# Anti DOS attack chain
iptables -t mangle -N DOS-PROOF
iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \
  -m recent --rcheck --rttl --hitcount $TCPHIT --seconds ${SEC} --name TCP-RECENT-DOS-PROOF -j LOG --log-prefix "TCP:FLOOD:"
iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \
  -m recent --rcheck --rttl --hitcount $TCPHIT --seconds ${SEC} --name TCP-RECENT-DOS-PROOF -j DROP
iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \
  -m recent --set --name TCP-RECENT-DOS-PROOF -j RETURN
iptables -t mangle -A DOS-PROOF -j RETURN

# Divert chain
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

# Calling chains
iptables -t mangle -A PREROUTING -j DOS-PROOF
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

/etc/rc.d/rc.local

# use less swap memory
echo 50 > /proc/sys/vm/swappiness

# tcp keep alive tuning
echo 60 >  /proc/sys/net/ipv4/tcp_keepalive_time
echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo 6 >  /proc/sys/net/ipv4/tcp_keepalive_probes

# Start TPROXY Squid Cache Server:
if [ -x /etc/rc.d/rc.squid ]; then
  /etc/rc.d/rc.squid start
fi

# TPROXY Divert
#iptables -t mangle -N DIVERT
#iptables -t mangle -A DIVERT -j MARK --set-mark 1
#iptables -t mangle -A DIVERT -j ACCEPT
#iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
#iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

# TPROXY Route
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

# Divert
/usr/local/sbin/tproxy-divert

/etc/rc.d/rc.local_shutdown

#!/bin/bash
# Stop TPROXY Squid Cache server:
if [ -x /etc/rc.d/rc.squid ]; then
  /etc/rc.d/rc.squid stop
fi

/etc/logrotate.d/squid

/usr/local/squid/var/logs/access.log {
  daily
  rotate 186
  start 1
  copytruncate
  compress
  compresscmd /usr/bin/bzip2
  compressext .bz2
  compressoptions -sq9
  dateext
  notifempty
  missingok
}

/usr/local/squid/var/logs/cache.log /usr/local/squid/var/logs/store.log {
  daily
  rotate 31
  start 1
  copytruncate
  compress
  compresscmd /usr/bin/bzip2
  compressext .bz2
  compressoptions -sq9
  dateext
  notifempty
  missingok
  sharedscripts
  postrotate
    /usr/local/squid/sbin/squid -k rotate
  endscript
}

First time lunch

mkdir /usr/local/squid/var/cache
mkdir -p /cache/{1,2,3,4}
chown -R nobody:nobody /cache
chown -R nobody:nobody /usr/local/squid/var/logs
chmod +x /etc/rc.d/rc.local_shutdown
chmod +x /etc/rc.d/rc.squid
/usr/local/squid/sbin/squid -z
/etc/rc.d/rc.squid start
if [ ! -d /usr/local/squid/share/errors/fa-ir/ ]; then ln -sfn /usr/local/squid/share/errors/en /usr/local/squid/share/errors/fa-ir ; fi

Linux Router / cache-redirect

#!/bin/bash

## Config
CLIENTS="80.191.195.0/24"
EXCLUDES="lksjdns"
CACHEIP="80.191.195.27"
CACHEMAC="00:17:9a:78:43:7e"
INTIF="eth1"
MARK="1000"
TABLE="4"
##########

# Check if rule not exist, add new rule
EXIST=$(ip rule show | grep "lookup ${TABLE}")
if [ "$EXIST" == "" ]; then
  ip rule add fwmark ${MARK} table ${TABLE}
fi

# Check if route not exist, add new route
EXIST=$(ip route show table ${TABLE} | grep ${CACHEIP})
if [ "$EXIST" == "" ]; then
  ip route add default via ${CACHEIP} table ${TABLE}
fi

# Check if chain not exist, add new chain
EXIST=$(iptables -t mangle -L -nxv | grep CACHE-REDIRECT)
if [ "$EXIST" == "" ]; then
  iptables -t mangle -N CACHE-REDIRECT
fi

# Check if excluded clients not exist , add excluded clints to chain
iptables -t mangle -F CACHE-REDIRECT
for NET in ${EXCLUDES}; do
  EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | grep ${NET})
  if [ "$EXIST" == "" ]; then
    iptables -t mangle -A CACHE-REDIRECT -s ${NET} -j RETURN
    iptables -t mangle -A CACHE-REDIRECT -d ${NET} -j RETURN
  fi
done

# Check if clients not exist , add clints to chain
for NET in ${CLIENTS}; do
  EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | grep ${NET})
  if [ "$EXIST" == "" ]; then
    iptables -t mangle -A CACHE-REDIRECT -s ${NET} -p tcp --dport 80 -j MARK --set-mark ${MARK}
    iptables -t mangle -A CACHE-REDIRECT -d ${NET} -p tcp --sport 80 -j MARK --set-mark ${MARK}
  fi
done

# add Return
EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | tail -n 1 | grep RETURN)
if [ "$EXIST" != "" ]; then
  iptables -t mangle -D CACHE-REDIRECT -j RETURN
fi
iptables -t mangle -A CACHE-REDIRECT -j RETURN

# Check if new chain not enabled, enable new chain
EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT)
if [ "$EXIST" == "" ]; then
  iptables -t mangle -A PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT
fi

Linux Router - cache-watchdog

#!/bin/bash

## Config
CACHEIP="80.191.195.27"
CACHEMAC="00:17:9a:78:43:7e"
IT_WORKS="http://80.191.195.17/test.html"
##########

# check for ping response
/bin/ping -c 1 -w 3 ${CACHEIP} > /dev/null 2>&1
ALIVE=$(echo $?)
if [ "${ALIVE}" == "1" ]; then
  # Check if new chain not disabled, disable new chain
  EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT)
  if [ "$EXIST" != "" ]; then
    iptables -t mangle -D PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT
    exit
  fi
fi

# check for http reply from cache
EXIST=$(links -http-proxy ${CACHEIP}:3128 -receive-timeout 5 -unrestartable-receive-timeout 5 -dump ${IT_WORKS} 2> /dev/null)
EXIST=$(echo "${EXIST}" | sed -e 's, *,,')
if [ "$EXIST" == "It works!" ]; then
  # Check if new chain not enabled, enable new chain
  EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT)
  if [ "$EXIST" == "" ]; then
    iptables -t mangle -A PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT
  fi
else
  # Check if new chain not disabled, disable new chain
  EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT)
  if [ "$EXIST" != "" ]; then
    iptables -t mangle -D PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT
  fi
fi

Test Script

http://devel.squid-cache.org/cgi-bin/test

BY: Pejman Moghadam
TAG: squid, tproxy, kernel
DATE: 2010-08-01 12:31:36


Pejman Moghadam / Slackware [ TXT ]