Installing TPROXY Squid 3 linux router
Written by vaheeD on December 28, 2012
kernel 2.6.28.3
cd /usr/src wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.3.tar.bz2 tar jxf linux-2.6.28.3.tar.bz2 ln -sfn linux-2.6.28.3 linux cd linux cp /boot/config .config make menuconfig Load an Alternate Configuration File .config Ok -*- Networking support ---> Networking options ---> [*] Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> <M> Transparent proxying support (EXPERIMENTAL) <M> "TPROXY" target support (EXPERIMENTAL) <M> "recent" match support [*] Enable obsolete /proc/net/ipt_recent <M> "socket" match support (EXPERIMENTAL) make all && make modules_install /bin/cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.28.3 /bin/cp System.map /boot/System.map-2.6.28.3 /bin/cp .config /boot/config-2.6.28.3
/etc/lilo.conf
boot = /dev/hda bitmap = /boot/slack.bmp bmp-colors = 255,0,255,0,255,0 bmp-table = 60,6,1,16 bmp-timer = 65,27,0,255 append=" vt.default_utf8=0" prompt timeout = 50 lba32 default = S12-2.6.28.3 vga = 791 image = /boot/vmlinuz root = /dev/hda2 label = Slackware12.2 read-only image = /boot/vmlinuz-2.6.28.3 root = /dev/hda2 label = S12.2-2.6.28.3 read-only
new kernel startup
lilo reboot
libcap 2.16
cd /usr/src wget http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.16.tar.gz tar zxf libcap-2.16.tar.gz cd libcap-2.16 make && make install
iptables 1.4.3
cd /usr/src wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.3.tar.bz2 tar jxf iptables-1.4.3.tar.bz2 cd iptables-1.4.3 ./configure --prefix=/usr && make removepkg iptables make install reboot
squid 3.1.5.1
vi /usr/include/bits/typesizes.h #define __FD_SETSIZE 16384 cd /usr/src wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.5.1.tar.gz tar zxf squid-3.1.5.1.tar.gz cd squid-3.1.5.1 ulimit -HSn 16384 ulimit -HSd unlimited declare -x CPPFLAGS="-I../libltdl" ./configure \ --prefix=/usr/local/squid \ --enable-forward-log \ --enable-follow-x-forwarded-for \ --enable-snmp \ --enable-linux-netfilter \ --enable-http-violations \ --enable-delay-pools \ --enable-storeio=diskd,aufs,ufs \ --with-large-files \ --enable-large-cache-files \ --with-filedescriptors=16384 \ --enable-async-io=128 \ --enable-removal-policies=lru,heap \ --enable-useragent-log \ --enable-referer-log \ --enable-err-languages=English \ --enable-default-err-language=English \ && make && make install cp /usr/local/squid/etc/squid.conf{,.bak}
/usr/local/squid/etc/squid.conf
acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 78.38.34.0/24 217.218.229.128/26 http_access allow our_networks http_access allow localhost http_access deny all icp_access deny all http_port 3128 tcpkeepalive=60,10,6 http_port 3129 tproxy tcpkeepalive=60,10,6 hierarchy_stoplist cgi-bin ? dll aspx cache_mem 2000 MB maximum_object_size_in_memory 64 KB cache_replacement_policy heap LFUDA cache_dir aufs /cache/1 51200 16 256 max-size=262144 cache_dir aufs /cache/2 51200 16 256 max-size=524288 cache_dir aufs /cache/3 51200 16 256 max-size=2097152 cache_dir aufs /cache/4 51200 16 256 maximum_object_size 102400 KB cache_swap_high 100 cache_swap_low 95 logformat squid %tl.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt access_log /usr/local/squid/var/logs/access.log squid acl watchdog src 80.191.195.17 log_access deny watchdog logfile_rotate 0 refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://office\.microsoft\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://w2ksp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://download\.microsoft\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://download\.macromedia\.com/ 0 80% 20160 reload-into-ims refresh_pattern ftp://ftp\.nai\.com/ 0 80% 20160 reload-into-ims refresh_pattern http://ftp\.software\.ibm\.com/ 0 80% 20160 reload-into-ims refresh_pattern cgi-bin 1 20% 2 refresh_pattern \.asp$ 1 20% 2 refresh_pattern \.acgi$ 1 20% 2 refresh_pattern \.cgi$ 1 20% 2 refresh_pattern \.pl$ 1 20% 2 refresh_pattern \.shtml$ 1 20% 2 refresh_pattern \.php3$ 1 20% 2 refresh_pattern \? 1 20% 2 refresh_pattern \.gif$ 10080 90% 43200 reload-into-ims refresh_pattern \.jpg$ 10080 90% 43200 reload-into-ims refresh_pattern \.bom\.gov\.au 30 20% 120 reload-into-ims refresh_pattern \.html$ 480 50% 22160 reload-into-ims refresh_pattern \.htm$ 480 50% 22160 reload-into-ims refresh_pattern \.class$ 10080 90% 43200 reload-into-ims refresh_pattern \.zip$ 10080 90% 43200 reload-into-ims refresh_pattern \.jpeg$ 10080 90% 43200 reload-into-ims refresh_pattern \.mid$ 10080 90% 43200 reload-into-ims refresh_pattern \.shtml$ 480 50% 22160 reload-into-ims refresh_pattern \.exe$ 10080 90% 43200 reload-into-ims refresh_pattern \.thm$ 10080 90% 43200 reload-into-ims refresh_pattern \.wav$ 10080 90% 43200 reload-into-ims refresh_pattern \.txt$ 10080 90% 43200 reload-into-ims refresh_pattern \.cab$ 10080 90% 43200 reload-into-ims refresh_pattern \.au$ 10080 90% 43200 reload-into-ims refresh_pattern \.mov$ 10080 90% 43200 reload-into-ims refresh_pattern \.xbm$ 10080 90% 43200 reload-into-ims refresh_pattern \.ram$ 10080 90% 43200 reload-into-ims refresh_pattern \.avi$ 10080 90% 43200 reload-into-ims refresh_pattern \.chtml$ 480 50% 22160 reload-into-ims refresh_pattern \.thb$ 10080 90% 43200 reload-into-ims refresh_pattern \.dcr$ 10080 90% 43200 reload-into-ims refresh_pattern \.bmp$ 10080 90% 43200 reload-into-ims refresh_pattern \.phtml$ 480 50% 22160 reload-into-ims refresh_pattern \.mpg$ 10080 90% 43200 reload-into-ims refresh_pattern \.pdf$ 10080 90% 43200 reload-into-ims refresh_pattern \.art$ 10080 90% 43200 reload-into-ims refresh_pattern \.swf$ 10080 90% 43200 reload-into-ims refresh_pattern \.mp3$ 10080 90% 43200 reload-into-ims refresh_pattern \.ra$ 10080 90% 43200 reload-into-ims refresh_pattern \.spl$ 10080 90% 43200 reload-into-ims refresh_pattern \.viv$ 10080 90% 43200 reload-into-ims refresh_pattern \.doc$ 10080 90% 43200 reload-into-ims refresh_pattern \.gz$ 10080 90% 43200 reload-into-ims refresh_pattern \.Z$ 10080 90% 43200 reload-into-ims refresh_pattern \.tgz$ 10080 90% 43200 reload-into-ims refresh_pattern \.tar$ 10080 90% 43200 reload-into-ims refresh_pattern \.vrm$ 10080 90% 43200 reload-into-ims refresh_pattern \.vrml$ 10080 90% 43200 reload-into-ims refresh_pattern \.aif$ 10080 90% 43200 reload-into-ims refresh_pattern \.aifc$ 10080 90% 43200 reload-into-ims refresh_pattern \.aiff$ 10080 90% 43200 reload-into-ims refresh_pattern \.arj$ 10080 90% 43200 reload-into-ims refresh_pattern \.c$ 10080 90% 43200 reload-into-ims refresh_pattern \.cpt$ 10080 90% 43200 reload-into-ims refresh_pattern \.dir$ 10080 90% 43200 reload-into-ims refresh_pattern \.dxr$ 10080 90% 43200 reload-into-ims refresh_pattern \.hqx$ 10080 90% 43200 reload-into-ims refresh_pattern \.jpe$ 10080 90% 43200 reload-into-ims refresh_pattern \.lha$ 10080 90% 43200 reload-into-ims refresh_pattern \.lzh$ 10080 90% 43200 reload-into-ims refresh_pattern \.midi$ 10080 90% 43200 reload-into-ims refresh_pattern \.movie$ 10080 90% 43200 reload-into-ims refresh_pattern \.mp2$ 10080 90% 43200 reload-into-ims refresh_pattern \.mpe$ 10080 90% 43200 reload-into-ims refresh_pattern \.mpeg$ 10080 90% 43200 reload-into-ims refresh_pattern \.mpga$ 10080 90% 43200 reload-into-ims refresh_pattern \.pl$ 10080 90% 43200 reload-into-ims refresh_pattern \.ppt$ 10080 90% 43200 reload-into-ims refresh_pattern \.ps$ 10080 90% 43200 reload-into-ims refresh_pattern \.qt$ 10080 90% 43200 reload-into-ims refresh_pattern \.qtm$ 10080 90% 43200 reload-into-ims refresh_pattern \.ras$ 10080 90% 43200 reload-into-ims refresh_pattern \.sea$ 10080 90% 43200 reload-into-ims refresh_pattern \.sit$ 10080 90% 43200 reload-into-ims refresh_pattern \.tif$ 10080 90% 43200 reload-into-ims refresh_pattern \.tiff$ 10080 90% 43200 reload-into-ims refresh_pattern \.snd$ 10080 90% 43200 reload-into-ims refresh_pattern \.wrl$ 10080 90% 43200 reload-into-ims refresh_pattern ^ftp: 1440 60% 22160 refresh_pattern ^gopher: 1440 20% 1440 refresh_pattern -i (cgi-bin|\?) 0 0% 0 refresh_pattern . 480 50% 22160 reload-into-ims quick_abort_min 32 KB quick_abort_max 32 KB quick_abort_pct 95 negative_ttl 3 minutes positive_dns_ttl 15 hours request_header_max_size 100 KB cache_mgr [email protected] visible_hostname SohaCache acl mrtg src 127.0.0.1 acl snmppublic snmp_community public snmp_access allow snmppublic mrtg snmp_access deny all snmp_port 3401 #dns_children 200 ipcache_size 10240 coredump_dir /usr/local/squid/var/cache forwarded_for transparent via off
/etc/rc.d/rc.squid
#!/bin/bash # # /etc/rc.d/rc.squid # # Start/stop/restart the Squid web caching server. # # To make Squid start automatically at boot, make this # file executable: chmod +x /etc/rc.d/rc.squid # PIDFILE="/usr/local/squid/var/run/squid.pid" start() { echo -n 'Starting TPROXY Squid . . . ' PROCESS=$(ps -A | egrep ' squid$') if [ "$PROCESS" == "" ]; then if [ -f ${PIDFILE} ] ; then rm ${PIDFILE} fi fi echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range ulimit -HSn 16384 ulimit -HSd unlimited /usr/local/squid/sbin/squid echo "Ok" } stop() { echo 'Stoping TPROXY Squid' /usr/local/squid/sbin/squid -k shutdown time=0 while [ $time != "300" ] ; do time=`expr $time + 1` echo -n $time if [ ! -f ${PIDFILE} ] ; then break else echo -n "." fi sleep 1 done echo ". .Ok" } case "$1" in 'start') start ;; 'stop') stop ;; 'restart') stop start ;; 'rotate') echo -n 'Rotating TPROXY Squid log files . . . ' /usr/local/squid/sbin/squid -k rotate echo "Ok" ;; *) echo "usage $0 start|stop|restart|rotate" ;; esac
/usr/local/sbin/tproxy-divert
#!/bin/bash # Config TCPHIT="255" SEC="1" # Flush mangle table iptables -t mangle -F iptables -t mangle -X sleep 1 # Load recent module KERNEL_VERSION=$(uname -r) RECENT_MODULE=$(basename $(find /lib/modules/${KERNEL_VERSION} -iname "*recent.ko") .ko) /sbin/rmmod $RECENT_MODULE /sbin/modprobe $RECENT_MODULE ip_list_tot=2048 ip_pkt_list_tot=255 ip_list_hash_size=0 # Anti DOS attack chain iptables -t mangle -N DOS-PROOF iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \ -m recent --rcheck --rttl --hitcount $TCPHIT --seconds ${SEC} --name TCP-RECENT-DOS-PROOF -j LOG --log-prefix "TCP:FLOOD:" iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \ -m recent --rcheck --rttl --hitcount $TCPHIT --seconds ${SEC} --name TCP-RECENT-DOS-PROOF -j DROP iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \ -m recent --set --name TCP-RECENT-DOS-PROOF -j RETURN iptables -t mangle -A DOS-PROOF -j RETURN # Divert chain iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT # Calling chains iptables -t mangle -A PREROUTING -j DOS-PROOF iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
/etc/rc.d/rc.local
# use less swap memory echo 50 > /proc/sys/vm/swappiness # tcp keep alive tuning echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl echo 6 > /proc/sys/net/ipv4/tcp_keepalive_probes # Start TPROXY Squid Cache Server: if [ -x /etc/rc.d/rc.squid ]; then /etc/rc.d/rc.squid start fi # TPROXY Divert #iptables -t mangle -N DIVERT #iptables -t mangle -A DIVERT -j MARK --set-mark 1 #iptables -t mangle -A DIVERT -j ACCEPT #iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT #iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 # TPROXY Route ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 # Divert /usr/local/sbin/tproxy-divert
/etc/rc.d/rc.local_shutdown
#!/bin/bash # Stop TPROXY Squid Cache server: if [ -x /etc/rc.d/rc.squid ]; then /etc/rc.d/rc.squid stop fi
/etc/logrotate.d/squid
/usr/local/squid/var/logs/access.log { daily rotate 186 start 1 copytruncate compress compresscmd /usr/bin/bzip2 compressext .bz2 compressoptions -sq9 dateext notifempty missingok } /usr/local/squid/var/logs/cache.log /usr/local/squid/var/logs/store.log { daily rotate 31 start 1 copytruncate compress compresscmd /usr/bin/bzip2 compressext .bz2 compressoptions -sq9 dateext notifempty missingok sharedscripts postrotate /usr/local/squid/sbin/squid -k rotate endscript }
First time lunch
mkdir /usr/local/squid/var/cache mkdir -p /cache/{1,2,3,4} chown -R nobody:nobody /cache chown -R nobody:nobody /usr/local/squid/var/logs chmod +x /etc/rc.d/rc.local_shutdown chmod +x /etc/rc.d/rc.squid /usr/local/squid/sbin/squid -z /etc/rc.d/rc.squid start if [ ! -d /usr/local/squid/share/errors/fa-ir/ ]; then ln -sfn /usr/local/squid/share/errors/en /usr/local/squid/share/errors/fa-ir ; fi
Linux Router / cache-redirect
#!/bin/bash ## Config CLIENTS="80.191.195.0/24" EXCLUDES="lksjdns" CACHEIP="80.191.195.27" CACHEMAC="00:17:9a:78:43:7e" INTIF="eth1" MARK="1000" TABLE="4" ########## # Check if rule not exist, add new rule EXIST=$(ip rule show | grep "lookup ${TABLE}") if [ "$EXIST" == "" ]; then ip rule add fwmark ${MARK} table ${TABLE} fi # Check if route not exist, add new route EXIST=$(ip route show table ${TABLE} | grep ${CACHEIP}) if [ "$EXIST" == "" ]; then ip route add default via ${CACHEIP} table ${TABLE} fi # Check if chain not exist, add new chain EXIST=$(iptables -t mangle -L -nxv | grep CACHE-REDIRECT) if [ "$EXIST" == "" ]; then iptables -t mangle -N CACHE-REDIRECT fi # Check if excluded clients not exist , add excluded clints to chain iptables -t mangle -F CACHE-REDIRECT for NET in ${EXCLUDES}; do EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | grep ${NET}) if [ "$EXIST" == "" ]; then iptables -t mangle -A CACHE-REDIRECT -s ${NET} -j RETURN iptables -t mangle -A CACHE-REDIRECT -d ${NET} -j RETURN fi done # Check if clients not exist , add clints to chain for NET in ${CLIENTS}; do EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | grep ${NET}) if [ "$EXIST" == "" ]; then iptables -t mangle -A CACHE-REDIRECT -s ${NET} -p tcp --dport 80 -j MARK --set-mark ${MARK} iptables -t mangle -A CACHE-REDIRECT -d ${NET} -p tcp --sport 80 -j MARK --set-mark ${MARK} fi done # add Return EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | tail -n 1 | grep RETURN) if [ "$EXIST" != "" ]; then iptables -t mangle -D CACHE-REDIRECT -j RETURN fi iptables -t mangle -A CACHE-REDIRECT -j RETURN # Check if new chain not enabled, enable new chain EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT) if [ "$EXIST" == "" ]; then iptables -t mangle -A PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT fi
Linux Router – cache-watchdog
#!/bin/bash ## Config CACHEIP="80.191.195.27" CACHEMAC="00:17:9a:78:43:7e" IT_WORKS="http://80.191.195.17/test.html" ########## # check for ping response /bin/ping -c 1 -w 3 ${CACHEIP} > /dev/null 2>&1 ALIVE=$(echo $?) if [ "${ALIVE}" == "1" ]; then # Check if new chain not disabled, disable new chain EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT) if [ "$EXIST" != "" ]; then iptables -t mangle -D PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT exit fi fi # check for http reply from cache EXIST=$(links -http-proxy ${CACHEIP}:3128 -receive-timeout 5 -unrestartable-receive-timeout 5 -dump ${IT_WORKS} 2> /dev/null) EXIST=$(echo "${EXIST}" | sed -e 's, *,,') if [ "$EXIST" == "It works!" ]; then # Check if new chain not enabled, enable new chain EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT) if [ "$EXIST" == "" ]; then iptables -t mangle -A PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT fi else # Check if new chain not disabled, disable new chain EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT) if [ "$EXIST" != "" ]; then iptables -t mangle -D PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT fi fi
Test Script
http://devel.squid-cache.org/cgi-bin/test
Bookmarks
http://onlamp.com/pub/a/onlamp/2005/11/17/tcp_tuning.html?page=2
http://fasterdata.es.net/TCP-tuning//linux.html
http://fasterdata.es.net/TCP-tuning//TCP-tuning.html
http://pmoghadam.com