Re: [squid-users] TProxy not faking source address.

From: rihad <rihad_at_mail.ru>
Date: Sun, 17 May 2009 13:13:53 +0500

Looks like I'm the only one trying to use TProxy? Somebody else, please?
To summarize: Squid does NOT spoof client's IP address when initiating
connections on its own. Just as if there weren't a thing named "TProxy".

Original message follows (not to be confused with top-posting):

> Hello, I'm trying to get TProxy 4.1 to work as outlined here:
> http://wiki.squid-cache.org/Features/Tproxy4
> namely under Ubuntu 9.04 stable/testing mix with the following:
> linux-image-2.6.28-11-server 2.6.28-11.42
> iptables 1.4.3.2-2ubuntu1
> squid-3.1.0.7.tar.bz2 from original sources
>
> Squid has been built this way:
> $ /usr/local/squid/sbin/squid -v
> Squid Cache: Version 3.1.0.7
> configure options: '--enable-linux-netfilter'
> --with-squid=/home/guessed/squid-3.1.0.7 --enable-ltdl-convenience
> (myself I only gave it --enable-linux-netfilter)
>
> squid.conf is pretty much whatever 'make install' created, with my
> changes given at the end, after the blank line:
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access deny all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> coredump_dir /usr/local/squid/var/cache
>
> cache_dir ufs /usr/local/squid/var/cache 100 16 256
> cache_mem 16 MB
> http_port 3129 tproxy
> visible_hostname tproxy
>
> Then I did:
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> #Use DIVERT to prevent existing connections going through TPROXY twice:
>
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> #Mark all other (new) packets and use TPROXY to pass into Squid:
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
>
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> #On each boot startup set:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> ran squid -z and launched squid.
>
> My topology:
> desktop where I sit: one link has address 192.168.0.1/24, the other to
> the Internet
> Squid box: one link: 192.168.0.184/24 (bridged VMware interface on the
> same box as desktop), the other link is custom VMware interface
> 192.168.1.1/24
> The "client" box: single interface 192.168.1.2/24
>
> So, the squid box is directly connected to the outside on the one side,
> and to the client on the other. My desktop's routing knows to reach the
> client through the Squid box, and vice versa, so the port 80 traffic
> under consideration flows through the Squid box in both ways.
>
> Now, after I do this on the "client":
> $ telnet 192.168.0.1 80
> GET / HTTP/1.0
>
> (correct webpage output)
> Connection closed by foreign host.
>
> Nevertheless, in 192.168.0.1's webserver's logs I can see 192.168.0.184
> connecting, not the TProxied 192.168.1.2, as if working under the plain
> ole interception proxying I've been trying to get rid of!
>
> Why?! Counters on the Squid box do get bumped:
>
> $ sudo iptables -t mangle -L -v -n
> Chain PREROUTING (policy ACCEPT 163 packets, 21851 bytes)
> pkts bytes target prot opt in out source
> destination
> 2274 214K DIVERT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 socket
> 16 920 TPROXY tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
>
> ...
>
> Chain DIVERT (1 references)
> pkts bytes target prot opt in out source
> destination
> 2274 214K MARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK xset 0x1/0xffffffff
> 2274 214K ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
> Thanks for any tips.
>
>
>
>
Received on Sun May 17 2009 - 08:14:09 MDT

This archive was generated by hypermail 2.2.0 : Sun May 17 2009 - 12:00:01 MDT