Я уже два дня пытаюсь заставить это работать должным образом и отчаянно нуждаюсь в помощи. Я настроил Squid 3 как прокси, прослушивающий порт 3129 с флагом tproxy, и выполнил инструкции для shorewall, найденные здесь:
http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY
Я использую IPv6, поэтому я соответствующим образом изменил эти настройки, и перенаправление через NAT не является вариантом.
Когда я пытаюсь подключиться к удаленному хосту, например ipv6.google.com, через порт 80, соединение перехватывается системой squid fine, которая, в свою очередь, подключается к ipv6.google.com, но в конечном итоге соединение просто истекает, и я представляю со страницей ошибки squid.
Если я выполню tcpdump соединения, это то, что я получу
19:09:11.958367 IP6 2001:388:e000:c100:213:e8ff:fe6b:41e5.56667 > 2404:6800:4006:802::1014.80: Flags [S], seq 4011445546, win 12200, options [mss 1220,sackOK,TS val 3255676 ecr 0,nop,wscale 5], length 0
19:09:12.019139 IP6 2404:6800:4006:802::1014.80 > 2001:388:e000:c100:213:e8ff:fe6b:41e5.56667: Flags [S.], seq 1191029984, ack 4011445547, win 5712, options [mss 1410,sackOK,TS val 967841584 ecr 3255676,nop,wscale 6], length 0
Что повторяется каждый раз, когда истекает время ожидания TTL запроса.
Если я использую squid в качестве непрозрачного прокси-сервера, он может обрабатывать запросы IPv6 без каких-либо проблем. Так что по какой-то причине пакеты не возвращаются в squid.
Я бегаю:
kernel - 2.6.39
iptables - 1.4.11
shorewall6 - 4.4.20
squid3 - 3.1.12
ИЗМЕНИТЬ - я наблюдаю такое же поведение с IPv4
ip6tables -nL вывод:
Chain INPUT (policy DROP) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW net2fw all ::/0 ::/0 loc2fw all ::/0 ::/0 ACCEPT all ::/0 ::/0 Drop all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:DROP:" DROP all ::/0 ::/0 Chain FORWARD (policy DROP) target prot opt source destination net2loc all ::/0 ::/0 loc2net all ::/0 ::/0 lo_fwd all ::/0 ::/0 Reject all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:" reject all ::/0 ::/0 [goto] Chain OUTPUT (policy DROP) target prot opt source destination fw2net all ::/0 ::/0 fw2loc all ::/0 ::/0 ACCEPT all ::/0 ::/0 Reject all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:" reject all ::/0 ::/0 [goto] Chain Drop (3 references) target prot opt source destination reject tcp ::/0 ::/0 tcp dpt:113 /* Auth */ dropBcast all ::/0 ::/0 dropInvalid all ::/0 ::/0 DROP udp ::/0 ::/0 multiport dports 135,445 /* SMB */ DROP udp ::/0 ::/0 udp dpts:137:139 /* SMB */ DROP udp ::/0 ::/0 udp spt:137 dpts:1024:65535 /* SMB */ DROP tcp ::/0 ::/0 multiport dports 135,139,445 /* SMB */ dropNotSyn tcp ::/0 ::/0 DROP udp ::/0 ::/0 udp spt:53 /* Late DNS Replies */ Chain Reject (2 references) target prot opt source destination reject tcp ::/0 ::/0 tcp dpt:113 /* Auth */ dropBcast all ::/0 ::/0 dropInvalid all ::/0 ::/0 reject udp ::/0 ::/0 multiport dports 135,445 /* SMB */ reject udp ::/0 ::/0 udp dpts:137:139 /* SMB */ reject udp ::/0 ::/0 udp spt:137 dpts:1024:65535 /* SMB */ reject tcp ::/0 ::/0 multiport dports 135,139,445 /* SMB */ dropNotSyn tcp ::/0 ::/0 DROP udp ::/0 ::/0 udp spt:53 /* Late DNS Replies */ Chain dropBcast (2 references) target prot opt source destination DROP all ::/0 2001:388:e000:c100::/128 DROP all ::/0 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 DROP all ::/0 ff00::/8 Chain dropInvalid (2 references) target prot opt source destination DROP all ::/0 ::/0 ctstate INVALID Chain dropNotSyn (2 references) target prot opt source destination DROP tcp ::/0 ::/0 tcpflags:! 0x17/0x02 Chain dynamic (7 references) target prot opt source destination Chain fw2loc (1 references) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain fw2net (1 references) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT 41 ::/0 ::/0 ACCEPT all ::/0 ::/0 Chain lo_fwd (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW Chain lo_in (0 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW Chain loc2fw (1 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain loc2net (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain logdrop (0 references) target prot opt source destination DROP all ::/0 ::/0 Chain logflags (5 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:" DROP all ::/0 ::/0 Chain logreject (0 references) target prot opt source destination reject all ::/0 ::/0 Chain net2fw (1 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW smurfs all ::/0 ::/0 ctstate INVALID,NEW tcpflags tcp ::/0 ::/0 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT 41 ::/0 ::/0 ACCEPT tcp ::/0 ::/0 tcp dpt:2093 Drop all ::/0 ::/0 DROP all ::/0 ::/0 Chain net2loc (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW smurfs all ::/0 ::/0 ctstate INVALID,NEW tcpflags tcp ::/0 ::/0 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT tcp ::/0 2001:388:e000:c100:216:3eff:fe24:dce6/128 multiport dports 25,993 Drop all ::/0 ::/0 DROP all ::/0 ::/0 Chain reject (9 references) target prot opt source destination DROP all ::/0 2001:388:e000:c100::/128 DROP all ::/0 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 DROP all ff00::/8 ::/0 DROP 2 ::/0 ::/0 REJECT tcp ::/0 ::/0 reject-with tcp-reset REJECT udp ::/0 ::/0 reject-with icmp6-port-unreachable REJECT icmpv6 ::/0 ::/0 reject-with icmp6-addr-unreachable REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited Chain sfilter (3 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:" DROP all ::/0 ::/0 Chain shorewall (0 references) target prot opt source destination Chain smurflog (3 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:" DROP all ::/0 ::/0 Chain smurfs (2 references) target prot opt source destination smurflog all 2001:388:e000:c100::/128 ::/0 [goto] smurflog all 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 ::/0 [goto] smurflog all ff00::/8 ::/0 [goto] Chain tcpflags (2 references) target prot opt source destination logflags tcp ::/0 ::/0 [goto] tcpflags: 0x3F/0x29 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x3F/0x00 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x06/0x06 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x03/0x03 logflags tcp ::/0 ::/0 [goto] tcp spt:0flags: 0x17/0x02
ip6tables -t mangle -nL вывод:
Chain INPUT (policy DROP) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW net2fw all ::/0 ::/0 loc2fw all ::/0 ::/0 ACCEPT all ::/0 ::/0 Drop all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:DROP:" DROP all ::/0 ::/0 Chain FORWARD (policy DROP) target prot opt source destination net2loc all ::/0 ::/0 loc2net all ::/0 ::/0 lo_fwd all ::/0 ::/0 Reject all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:" reject all ::/0 ::/0 [goto] Chain OUTPUT (policy DROP) target prot opt source destination fw2net all ::/0 ::/0 fw2loc all ::/0 ::/0 ACCEPT all ::/0 ::/0 Reject all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:" reject all ::/0 ::/0 [goto] Chain Drop (3 references) target prot opt source destination reject tcp ::/0 ::/0 tcp dpt:113 /* Auth */ dropBcast all ::/0 ::/0 dropInvalid all ::/0 ::/0 DROP udp ::/0 ::/0 multiport dports 135,445 /* SMB */ DROP udp ::/0 ::/0 udp dpts:137:139 /* SMB */ DROP udp ::/0 ::/0 udp spt:137 dpts:1024:65535 /* SMB */ DROP tcp ::/0 ::/0 multiport dports 135,139,445 /* SMB */ dropNotSyn tcp ::/0 ::/0 DROP udp ::/0 ::/0 udp spt:53 /* Late DNS Replies */ Chain Reject (2 references) target prot opt source destination reject tcp ::/0 ::/0 tcp dpt:113 /* Auth */ dropBcast all ::/0 ::/0 dropInvalid all ::/0 ::/0 reject udp ::/0 ::/0 multiport dports 135,445 /* SMB */ reject udp ::/0 ::/0 udp dpts:137:139 /* SMB */ reject udp ::/0 ::/0 udp spt:137 dpts:1024:65535 /* SMB */ reject tcp ::/0 ::/0 multiport dports 135,139,445 /* SMB */ dropNotSyn tcp ::/0 ::/0 DROP udp ::/0 ::/0 udp spt:53 /* Late DNS Replies */ Chain dropBcast (2 references) target prot opt source destination DROP all ::/0 2001:388:e000:c100::/128 DROP all ::/0 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 DROP all ::/0 ff00::/8 Chain dropInvalid (2 references) target prot opt source destination DROP all ::/0 ::/0 ctstate INVALID Chain dropNotSyn (2 references) target prot opt source destination DROP tcp ::/0 ::/0 tcpflags:! 0x17/0x02 Chain dynamic (7 references) target prot opt source destination Chain fw2loc (1 references) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain fw2net (1 references) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT 41 ::/0 ::/0 ACCEPT all ::/0 ::/0 Chain lo_fwd (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW Chain lo_in (0 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW Chain loc2fw (1 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain loc2net (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain logdrop (0 references) target prot opt source destination DROP all ::/0 ::/0 Chain logflags (5 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:" DROP all ::/0 ::/0 Chain logreject (0 references) target prot opt source destination reject all ::/0 ::/0 Chain net2fw (1 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW smurfs all ::/0 ::/0 ctstate INVALID,NEW tcpflags tcp ::/0 ::/0 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT 41 ::/0 ::/0 ACCEPT tcp ::/0 ::/0 tcp dpt:2093 Drop all ::/0 ::/0 DROP all ::/0 ::/0 Chain net2loc (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW smurfs all ::/0 ::/0 ctstate INVALID,NEW tcpflags tcp ::/0 ::/0 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT tcp ::/0 2001:388:e000:c100:216:3eff:fe24:dce6/128 multiport dports 25,993 Drop all ::/0 ::/0 DROP all ::/0 ::/0 Chain reject (9 references) target prot opt source destination DROP all ::/0 2001:388:e000:c100::/128 DROP all ::/0 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 DROP all ff00::/8 ::/0 DROP 2 ::/0 ::/0 REJECT tcp ::/0 ::/0 reject-with tcp-reset REJECT udp ::/0 ::/0 reject-with icmp6-port-unreachable REJECT icmpv6 ::/0 ::/0 reject-with icmp6-addr-unreachable REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited Chain sfilter (3 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:" DROP all ::/0 ::/0 Chain shorewall (0 references) target prot opt source destination Chain smurflog (3 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:" DROP all ::/0 ::/0 Chain smurfs (2 references) target prot opt source destination smurflog all 2001:388:e000:c100::/128 ::/0 [goto] smurflog all 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 ::/0 [goto] smurflog all ff00::/8 ::/0 [goto] Chain tcpflags (2 references) target prot opt source destination logflags tcp ::/0 ::/0 [goto] tcpflags: 0x3F/0x29 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x3F/0x00 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x06/0x06 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x03/0x03 logflags tcp ::/0 ::/0 [goto] tcp spt:0flags: 0x17/0x02
Я обнаружил проблему, отсутствуют два правила, которые, как я предполагал, должен был быть вставлен shorewall, выполнение следующих действий решает проблему.
ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -I tcpre 1 -p tcp -m socket -j DIVERT