Getting Squid and TPROXY with IPv6 working on CentOS 7

I'm having trouble getting TPROXY working with Squid and IPv6 on a CentOS 7 server. I was previously using a generic intercept setup with NAT, but it was limited to IPv4 only. I'm now expanding the setup to include IPv6 with TPROXY.

I've been using the official Squid wiki article on the subject to configure everything:

http://wiki.squid-cache.org/Features/Tproxy4

Thus far the TPROXY config appears to be working for IPv4 with no issues. With IPv6 however connections are timing out and not working properly. I'll break down the setup for better understanding.

Note all firewall and routing rules are exactly the same for IPv4, the only difference is inet6 and ip6tables for configuring IPv6 based rules in the examples below.

• OS and Kernel: CentOS 7 (3.10.0-229.14.1.el7.x86_64)
• All packages are up to date according to yum
• Squid Version: 3.3.8 (Also tried 3.5.9)
• Firewall: iptables/ip6tables 1.4.21
• libcap-2.22-8.el7.x86_64

IPv6 connectivity is currently through a 6in4 tunnel via Hurricane Electric, this is configured on the DD-WRT router and then the assigned prefix delegated to clients via radvd. The Squid box has several static IPv6 addresses configured.

The Squid box sits within the main LAN which it is serving. Clients that are having traffic on port 80 intercepted (mainly wireless clients) are being pushed to the Squid box via my DD-WRT router with the following firewall and routing rules, adapted from the Policy Routing wiki article and DD-WRT wiki

• http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

• http://www.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy

  ip6tables -t mangle -A PREROUTING -i "$CLIENTIFACE" -s "$PROXY_IPV6" -p tcp --dport 80 -j ACCEPT
  ip6tables -t mangle -A PREROUTING -i "$CLIENTIFACE" -p tcp --dport 80 -j MARK --set-mark $FWMARK
  ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT
  ip6tables -t filter -A FORWARD -i "$CLIENTIFACE" -o "$CLIENTIFACE" -p tcp --dport 80 -j ACCEPT
  
  ip -f inet6 rule add fwmark $FWMARK table 2
  ip -f inet6 route add default via "$PROXY_IPV6" dev "$CLIENTIFACE" table 2
  

This appears to be working OK in terms of passing the traffic to the Squid box. One additional rule I had to add on the DD-WRT router in addition to the above was an exception rule for the configured outgoing IPv4 and IPv6 addresses on the Squid box, otherwise I get a crazy loop issue and traffic gets broken for all clients including the main LAN that uses Squid on 3128.

ip6tables -t mangle -I PREROUTING -p tcp --dport 80 -s "$OUTGOING_PROXY_IPV6" -j ACCEPT

On the Squid box I am then using the following routing rules and the DIVERT chain to handle the traffic accordingly. I needed to add additional rules to prevent any errors with the chain already existing during testing. My firewall is CSF, I have added the following to csfpre.sh

ip -f inet6 route flush table 100
ip -f inet6 rule del fwmark 1 lookup 100

ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev eno1 table 100

ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -t mangle -N DIVERT

ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

squid.conf is configured for two ports:

http_proxy 3128
http_proxy 3129 tproxy

In addition I am also using Privoxy and had to add no-tproxy to my cache_peer line, otherwise all traffic was unable to be forwarded for both protocols.

cache_peer localhost parent 8118 7 no-tproxy no-query no-digest

I am not using any tcp_outgoing_address directives because of Privoxy, instead I am controlling the outbound addresses through CentOS and the bind order.

sysctl values:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eno1.rp_filter = 0

I am not sure if the rp_filter modifications are needed as the setup works on IPv4 with or without them and produces the same result for IPv6.

SELINUX

SELINUX is enabled on the Squid box, but policies have been configured to allow the TPROXY setup, so its not being blocked (IPv4 working shows this anyway). I have checked with grep squid /var/log/audit/audit.log | audit2allow -a and get <no matches>

#============= squid_t ==============

#!!!! This avc is allowed in the current policy
allow squid_t self:capability net_admin;

#!!!! This avc is allowed in the current policy
allow squid_t self:capability2 block_suspend;

#!!!! This avc is allowed in the current policy
allow squid_t unreserved_port_t:tcp_socket name_connect;

I have also set the following booleans:

setsebool squid_connect_any 1
setsebool squid_use_tproxy 1

Broken IPv6 connectivity

Ultimately, IPv6 connectivity is completely broken for TPROXY clients (LAN clients on port 3128 which use a WPAD/PAC file have fully working IPv6). While it appears the traffic is being routed to the Squid box in some way, no requests over IPv6 via TPROXY are appearing in the access.log. All IPv6 requests both literal IPv6 and DNS, timeout. I can access internal IPv6 clients but again, this traffic isn't logged either.

I did some testing using test-ipv6.com and found that it detected my outgoing Squid IPv6 address but the IPv6 tests either showed as bad/slow or timeout. I temporarily enabled the via header and found the Squid HTTP header was visible, so the traffic is at least getting to the Squid box but not being routed properly once its there.

I've been trying to get this to work for some time and cannot find what the problem is, I've even asked on the Squid mailing list, but have been unable to diagnose the actual issue or solve it. Based on my testing, I'm pretty sure its one of the following areas and the Squid box the problem:

• Routing
• Kernel
• Firewall

Any ideas and additional steps that I can take to get TPROXY and IPv6 working would be greatly appreciated!

Additional information

ip6tables rules:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DIVERT     tcp      ::/0                 ::/0                 socket
TPROXY     tcp      ::/0                 ::/0                 tcp dpt:80 TPROXY redirect :::3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain DIVERT (1 references)
target     prot opt source               destination
MARK       all      ::/0                 ::/0                 MARK set 0x1
ACCEPT     all      ::/0                 ::/0

IPv6 routing table (prefix obscured)

unreachable ::/96 dev lo  metric 1024  error -101
unreachable ::ffff:0.0.0.0/96 dev lo  metric 1024  error -101
2001:470:xxxx:xxx::5 dev eno1  metric 0
    cache  mtu 1480
2001:470:xxxx:xxx:b451:9577:fb7d:6f2d dev eno1  metric 0
    cache
2001:470:xxxx:xxx::/64 dev eno1  proto kernel  metric 256
unreachable 2002:a00::/24 dev lo  metric 1024  error -101
unreachable 2002:7f00::/24 dev lo  metric 1024  error -101
unreachable 2002:a9fe::/32 dev lo  metric 1024  error -101
unreachable 2002:ac10::/28 dev lo  metric 1024  error -101
unreachable 2002:c0a8::/32 dev lo  metric 1024  error -101
unreachable 2002:e000::/19 dev lo  metric 1024  error -101
unreachable 3ffe:ffff::/32 dev lo  metric 1024  error -101
fe80::/64 dev eno1  proto kernel  metric 256
default via 2001:470:xxxx:xxxx::1 dev eno1  metric 1