RE: Forward loop detected: what does this mean?

"Boniforti Flavio" <flavio@xxxxxxxxxxx> · Thu, 19 May 2011 17:01:18 +0200

Hello Amos...

> > What does that forward loop mean
> 
> Your squid is sending requests out which subsequently arrive 
> back to it.

OK.

> > and how could it happen? I've noticed
> 
> Most likely your NAT rules are broken. Packets leaving Squid 
> MUST NOT be sent back to Squids listening port.

This is my iptables setup:

proxy:/var/log/squid3# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 208K packets, 20M bytes)
 pkts bytes target     prot opt in     out     source
destination
62956 3123K REDIRECT   tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:80 redir ports 3128
   10   548 REDIRECT   tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           tcp dpts:81:83 redir ports 3128
   31  1542 DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpts:20:21 to:172.16.16.254
 4689  277K DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp multiport dports 80,443 to:172.16.16.254
   19  1144 DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:1723 to:172.16.16.254
   14   822 DNAT       47   --  eth1   *       0.0.0.0/0
0.0.0.0/0           to:172.16.16.254
 4170  213K DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:25 to:172.16.16.254
    8   444 DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:110 to:172.16.16.254
    0     0 DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:143 to:172.16.16.254
    0     0 DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:5555 to:172.16.16.37
  227 13204 DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp multiport dports 22,873 to:172.16.16.240

Chain INPUT (policy ACCEPT 96511 packets, 7924K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 341K packets, 21M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 291K packets, 17M bytes)
 pkts bytes target     prot opt in     out     source
destination
 234K   18M MASQUERADE  all  --  *      eth1    0.0.0.0/0
0.0.0.0/0

What you see there are some services redirected to my internal servers
and the rule for intercepting web traffic...

> Or maybe the requests are for a domain which is pointing at 
> your Squid with its IPs.
> 
> > that the originating IP was from a PC I had in my LAN which was 
> > infected with some sort of mal-/spy-ware...
> 
> Or some attempted attack which is being short-circuited by 
> setting the attackers domain to point at 0.0.0.0 or 
> 127.0.0.1. In which case "http_access deny to_localhost" with 
> the default definition of to_localhost should block it before looping.

I get tons of these in the access.log:

1305812157.825  14481 172.16.16.38 TCP_MISS/000 0 GET
http://172.16.16.1:3128/ - DIRECT/172.16.16.1 -
1305812227.706  14095 172.16.16.38 TCP_MISS/000 0 GET
http://172.16.16.1:3128/ - DIRECT/172.16.16.1 -

What could this be meaning? It look like the PC is trying to connect to
the proxy port 3128, which is then directed to itself... uh?!
I'll be further investigating on the client "victim" (172.16.16.38)...

Kind regards,
Flavio Boniforti

PIRAMIDE INFORMATICA SAGL
Via Ballerini 21
6600 Locarno
Switzerland
Phone: +41 91 751 68 81
Fax: +41 91 751 69 14
URL: http://www.piramide.ch
E-mail: flavio@xxxxxxxxxxx 