[CentOS] CentOS6, IP6tables, Routing, TPROXY (squid34 epel package)

Eliezer Croitoru eliezer at ngtech.co.il
Sun Aug 20 12:19:48 UTC 2017


What happens if you remove the iptables rules:
-A PREROUTING -i br0 -p tcp -m socket -j DIVERT
-A PREROUTING -i br0 -p tcp -d  2a02:1788:2fd::b2ff:5302 --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

Is the client able to access this ipv6 address?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Walter H.
Sent: Tuesday, August 8, 2017 21:35
To: CentOS mailing list <centos at centos.org>
Subject: [CentOS] CentOS6, IP6tables, Routing, TPROXY (squid34 epel package)

Hello,

how do achieve this:

how must files /etc/sysconfig/network-scripts/ look like to be the same as
entering the following two commands ...
ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local ::/0 dev lo table 100
is there the localhost device lo correct, or does it have to be br0?

e.g.
a file route-br0 with
192.168.1.0/24 via 10.10.10.1 dev br0
does the routing to the segment 192.168.1.0/24 via 10.10.10.1

/etc/sysconfig/ip6tables
<BEGIN>
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-N DIVERT
-A DIVERT -j MARK --set-mark 1
-A DIVERT -j ACCEPT

-A PREROUTING -i br0 -p tcp -m socket -j DIVERT
-A PREROUTING -i br0 -p tcp -d  2a02:1788:2fd::b2ff:5302 --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT

-A INPUT -i br0 -m tcp -p tcp --dport 3129 -m state --state NEW -j ACCEPT

</END>

the goal should be, that for specific IPv6 hosts (destination), the packets
are redirected through the proxy
running on the router box, other destinations should be just forwarded
without proxy ...

LAN port = br0 (dual stack), HE tunnel port = sit1 (ipv6 only), WAN port =
eth1 (ipv4 only)

Thanks,
Walter




_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos




More information about the CentOS mailing list