Search squid archive

Re: TProxy not faking source address.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Looks like I'm the only one trying to use TProxy? Somebody else, please?
To summarize: Squid does NOT spoof client's IP address when initiating connections on its own. Just as if there weren't a thing named "TProxy".

Original message follows (not to be confused with top-posting):

Hello, I'm trying to get TProxy 4.1 to work as outlined here:
http://wiki.squid-cache.org/Features/Tproxy4
namely under Ubuntu 9.04 stable/testing mix with the following:
linux-image-2.6.28-11-server 2.6.28-11.42
iptables 1.4.3.2-2ubuntu1
squid-3.1.0.7.tar.bz2 from original sources

Squid has been built this way:
$ /usr/local/squid/sbin/squid -v
Squid Cache: Version 3.1.0.7
configure options:  '--enable-linux-netfilter'
--with-squid=/home/guessed/squid-3.1.0.7 --enable-ltdl-convenience
(myself I only gave it --enable-linux-netfilter)

squid.conf is pretty much whatever 'make install' created, with my
changes given at the end, after the blank line:

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
coredump_dir /usr/local/squid/var/cache

cache_dir ufs /usr/local/squid/var/cache 100 16 256
cache_mem 16 MB
http_port 3129 tproxy
visible_hostname tproxy

Then I did:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

#Use DIVERT to prevent existing connections going through TPROXY twice:

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

#Mark all other (new) packets and use TPROXY to pass into Squid:

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129


ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

#On each boot startup set:

echo 1 > /proc/sys/net/ipv4/ip_forward

ran squid -z and launched squid.

My topology:
desktop where I sit: one link has address 192.168.0.1/24, the other to
the Internet
Squid box: one link: 192.168.0.184/24 (bridged VMware interface on the
same box as desktop), the other link is custom VMware interface
192.168.1.1/24
The "client" box: single interface 192.168.1.2/24

So, the squid box is directly connected to the outside on the one side,
and to the client on the other. My desktop's routing knows to reach the
client through the Squid box, and vice versa, so the port 80 traffic
under consideration flows through the Squid box in both ways.

Now, after I do this on the "client":
$ telnet 192.168.0.1 80
GET / HTTP/1.0

(correct webpage output)
Connection closed by foreign host.

Nevertheless, in 192.168.0.1's webserver's logs I can see 192.168.0.184
connecting, not the TProxied 192.168.1.2, as if working under the plain
ole interception proxying I've been trying to get rid of!

Why?! Counters on the Squid box do get bumped:

$ sudo iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 163 packets, 21851 bytes)
 pkts bytes target     prot opt in     out     source
destination
 2274  214K DIVERT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           socket
   16   920 TPROXY     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

...

Chain DIVERT (1 references)
 pkts bytes target     prot opt in     out     source
destination
 2274  214K MARK       all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK xset 0x1/0xffffffff
 2274  214K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0


Thanks for any tips.






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux