Search squid archive

TProxy4 and Squid 3.1.0.5 client address spoofing problem !

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, 



Here is my situation : 


    * CentOS 5.2 ( my own built kernel 2.6.25.11-TProxy-ReiserFS with this patch : http://www.balabit.com/ downloads/files/tproxy/tproxy- kernel-2.6.25-20080519-165031- 1211208631.tar.bz2)
    * iptables v1.4.3-rc1( ftp://ftp.netfilter.org/pub/ iptables/snapshot/iptables- 20090206.tar.bz2 )
    * squid 3.1.0.5 RC ( http://www.squid-cache.org/ Versions/v3/3.1/squid-3.1.0.5. tar.bz2 ) and compiled with these options : "'--enable-poll' '--enable-storeio=aufs,diskd, ufs' '--with-pthreads' '--enable-removal-policies= heap,lru' '--enable-
linux-netfilter' '--enable-useragent-log' '--enable-referer-log' '--enable-underscores' '--disable-dependency- tracking' '--disable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded- for'
'--enable-cache-digests' '--enable-delay-pools' '--enable-truncate'
'--prefix=/usr' '--localstatedir=/var' '--sysconfdir=/etc/squid'
'--with-logdir=/var/log/squid' '--enable-wccpv2' '--enable-wccp'
'--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--with-filedescriptors=8192' --with-squid=/usr/src/squid-3. 1.0.5 --enable-ltdl-convenience\"
    * with following iptables rules : 
[root@CACHE1 squid-3.1.0.5]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination        

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination        
1    DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0           socket 
2    TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination        

Chain DIVERT (1 references)
num  target     prot opt source               destination        
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK xset 0x1/0xffffffff 
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          

[root@CACHE1 squid-3.1.0.5]# 
    * With following iproute2 rules : [root@CACHE1 squid-3.1.0.5]# ip ru list
0:      from all lookup 255 
32765:  from all fwmark 0x1 lookup 100 
32766:  from all lookup main 
32767:  from all lookup default 
[root@CACHE1 squid-3.1.0.5]# ip ro list table 100
local default dev lo  scope host 
[root@CACHE1 squid-3.1.0.5]# 

    * with following http_port line in squid : http_port 3129 tproxyeverything seems to be working and squid run with these messages in cache.log : 
2009/02/07 22:22:43| Accepting  spoofing HTTP connections at 0.0.0.0:3129, FD 16.

my
requests seems to be redirected to port 3129 as I expected and the
pages are loading propertly. But the problem is that when I go to site http://myipaddress.co.uk/ it gives me the cache ip address instead of my own client ip address. here is the tethereal output for one of my requests :

[root@CACHE1 ~]# tethereal host 213.171.218.15 -n              

Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
  0.000000 85.247.162.18 -> 213.171.218.15 HTTP GET / HTTP/1.1 
  0.000004 213.171.218.15 -> 85.247.162.18 TCP 80 > 39571 [ACK] Seq=1 Ack=386 Win=62 Len=0 TSV=11294071 TSER=2135261
  0.000006 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=11294071 TSER=0 WS=7
  0.199523 213.171.218.15 -> 85.247.162.2 TCP 80 > 35330 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
  0.199533 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=11294268 TSER=0
  0.199603 85.247.162.2 -> 213.171.218.15 HTTP GET / HTTP/1.0 
  0.504191 213.171.218.15 -> 85.247.162.2 TCP [TCP segment of a reassembled PDU]
  0.504199 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451 Ack=1449 Win=8832 Len=0 TSV=11294570 TSER=52303830
  0.504241 213.171.218.15 -> 85.247.162.2 HTTP HTTP/1.1 200 OK  (text/html)
  0.504246 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451 Ack=2083 Win=11648 Len=0 TSV=11294570 TSER=52303830
  0.504359 213.171.218.15 -> 85.247.162.18 HTTP HTTP/1.0 200 OK  (text/html)
  0.504364 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP traffic
  0.504402 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP traffic
  0.514428 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=1449 Win=3386 Len=0 TSV=2135390 TSER=11294570
  0.514577 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=1579 Win=3386 Len=0 TSV=2135390 TSER=11294570
  0.517022 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=2213 Win=4110 Len=0 TSV=2135390 TSER=11294570

Where my client ip address is 85.247.162.18 and my cache server ip
address is 85.247.162.2. This means that the client ip spoofing is not
working with tproxy4. Can any guide me ?

-- 
Regards
Hamid Hashemi
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux