Re: TProxy4 and Squid 3.1.0.5 client address spoofing problem !

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Hamid Hashemi wrote:
> Hi, 
>
>
> Here is my situation : 
>
>
>     * CentOS 5.2 ( my own built kernel 2.6.25.11-TProxy-ReiserFS with this patch : http://www.balabit.com/ downloads/files/tproxy/tproxy- kernel-2.6.25-20080519-165031- 1211208631.tar.bz2)
>     * iptables v1.4.3-rc1( ftp://ftp.netfilter.org/pub/ iptables/snapshot/iptables- 20090206.tar.bz2 )
>     * squid 3.1.0.5 RC ( http://www.squid-cache.org/ Versions/v3/3.1/squid-3.1.0.5. tar.bz2 ) and compiled with these options : "'--enable-poll' '--enable-storeio=aufs,diskd, ufs' '--with-pthreads' '--enable-removal-policies= heap,lru' '--enable-
> linux-netfilter' '--enable-useragent-log' '--enable-referer-log' '--enable-underscores' '--disable-dependency- tracking' '--disable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded- for'
> '--enable-cache-digests' '--enable-delay-pools' '--enable-truncate'
> '--prefix=/usr' '--localstatedir=/var' '--sysconfdir=/etc/squid'
> '--with-logdir=/var/log/squid' '--enable-wccpv2' '--enable-wccp'
> '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
> '--with-filedescriptors=8192' --with-squid=/usr/src/squid-3. 1.0.5 --enable-ltdl-convenience\"
>     * with following iptables rules : 
> [root@CACHE1 squid-3.1.0.5]# service iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination        
>
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination        
>
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination        
>
> Table: mangle
> Chain PREROUTING (policy ACCEPT)
> num  target     prot opt source               destination        
> 1    DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0           socket 
> 2    TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
>
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination        
>
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination        
>
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination        
>
> Chain POSTROUTING (policy ACCEPT)
> num  target     prot opt source               destination        
>
> Chain DIVERT (1 references)
> num  target     prot opt source               destination        
> 1    MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK xset 0x1/0xffffffff 
> 2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
>
> [root@CACHE1 squid-3.1.0.5]# 
>     * With following iproute2 rules : [root@CACHE1 squid-3.1.0.5]# ip ru list
> 0:      from all lookup 255 
> 32765:  from all fwmark 0x1 lookup 100 
> 32766:  from all lookup main 
> 32767:  from all lookup default 
> [root@CACHE1 squid-3.1.0.5]# ip ro list table 100
> local default dev lo  scope host 
> [root@CACHE1 squid-3.1.0.5]# 
>
>     * with following http_port line in squid : http_port 3129 tproxyeverything seems to be working and squid run with these messages in cache.log : 
> 2009/02/07 22:22:43| Accepting  spoofing HTTP connections at 0.0.0.0:3129, FD 16.
>
> my
> requests seems to be redirected to port 3129 as I expected and the
> pages are loading propertly. But the problem is that when I go to site http://myipaddress.co.uk/ it gives me the cache ip address instead of my own client ip address. here is the tethereal output for one of my requests :
>
> [root@CACHE1 ~]# tethereal host 213.171.218.15 -n              
>
> Running as user "root" and group "root". This could be dangerous.
> Capturing on eth1
>   0.000000 85.247.162.18 -> 213.171.218.15 HTTP GET / HTTP/1.1 
>   0.000004 213.171.218.15 -> 85.247.162.18 TCP 80 > 39571 [ACK] Seq=1 Ack=386 Win=62 Len=0 TSV=11294071 TSER=2135261
>   0.000006 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=11294071 TSER=0 WS=7
>   0.199523 213.171.218.15 -> 85.247.162.2 TCP 80 > 35330 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
>   0.199533 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=11294268 TSER=0
>   0.199603 85.247.162.2 -> 213.171.218.15 HTTP GET / HTTP/1.0 
>   0.504191 213.171.218.15 -> 85.247.162.2 TCP [TCP segment of a reassembled PDU]
>   0.504199 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451 Ack=1449 Win=8832 Len=0 TSV=11294570 TSER=52303830
>   0.504241 213.171.218.15 -> 85.247.162.2 HTTP HTTP/1.1 200 OK  (text/html)
>   0.504246 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451 Ack=2083 Win=11648 Len=0 TSV=11294570 TSER=52303830
>   0.504359 213.171.218.15 -> 85.247.162.18 HTTP HTTP/1.0 200 OK  (text/html)
>   0.504364 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP traffic
>   0.504402 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP traffic
>   0.514428 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=1449 Win=3386 Len=0 TSV=2135390 TSER=11294570
>   0.514577 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=1579 Win=3386 Len=0 TSV=2135390 TSER=11294570
>   0.517022 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=2213 Win=4110 Len=0 TSV=2135390 TSER=11294570
>
> Where my client ip address is 85.247.162.18 and my cache server ip
> address is 85.247.162.2. This means that the client ip spoofing is not
> working with tproxy4. Can any guide me ?

That tethereal trace appears to show the spoofing going on:

    Client
(85.247.162.18)
      ||
(213.171.218.15)
    Squid
(85.247.162.2)
      ||
(213.171.218.15)
  Web Server

Client identifies itself as connecting to the web server directly.

The server-side bit is not spoofing though.

Does that change with:
  iptables -t mangle -A DIVERT -j MARK --set-mark 0x1/0x1


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5