Hi, Squid not spoofing the client IP, with following http_port line in squid : http_port 3129 tproxy everything seems to be working and squid run with these messages in cache.log 2011/09/21 14:36:15 kid1| Accepting TPROXY spoofing HTTP Socket connections at local=[::]:3129 remote=[::] FD 17 flags =25 my requests seems to be redirected to port 3129 as I expected and the pages are loading propertly. But the problem is that when I go to site http://www.whatismyip.com/ it gives me the cache ip address instead of my own client ip address. here is the cache log output for one of my requests : 2011/09/21 14:38:00.720 kid1| Intercept.cc(343) Lookup: address BEGIN: me/client= 67.202.66.200:80, destination/me= 192.168.88.100:51084 2011/09/21 14:38:00.720 kid1| Intercept.cc(149) NetfilterTransparent: address TPROXY: local=67.202.66.200:80 remote=192.168.88.100 FD 47 flags=17 2011/09/21 14:39:23.398 kid1| Intercept.cc(343) Lookup: address BEGIN: me/client= 209.85.147.113:80, destination/me= 192.168.88.100:48968 2011/09/21 14:39:23.398 kid1| Intercept.cc(149) NetfilterTransparent: address TPROXY: local=209.85.147.113:80 remote=192.168.88.100 FD 14 flags=17 2011/09/21 14:39:23.984 kid1| Intercept.cc(343) Lookup: address BEGIN: me/client= 209.85.169.102:80, destination/me= 192.168.88.100:45534 2011/09/21 14:39:23.984 kid1| Intercept.cc(149) NetfilterTransparent: address TPROXY: local=209.85.169.102:80 remote=192.168.88.100 FD 20 flags=17 2011/09/21 14:39:33.521 kid1| Intercept.cc(343) Lookup: address BEGIN: me/client= 91.209.196.169:80, destination/me= 192.168.88.100:43728 2011/09/21 14:39:33.521 kid1| Intercept.cc(149) NetfilterTransparent: address TPROXY: local=91.209.196.169:80 remote=192.168.88.100 FD 24 flags=17 2011/09/21 14:39:34.238 kid1| Intercept.cc(343) Lookup: address BEGIN: me/client= 217.118.27.135:80, destination/me= 192.168.88.100:35387 2011/09/21 14:39:34.238 kid1| Intercept.cc(149) NetfilterTransparent: address TPROXY: local=217.118.27.135:80 remote=192.168.88.100 FD 26 flags=17 This means that the client ip spoofing is not working with tproxy4. Can any guide me ? Thanks and Best Regards, Saleh > Hi, > > Any suggestions about this problem. > > Thanks and Best Regards, > Saleh > >> Dears, >> >> I have setup a transparent proxy with the TPROXY feature and WCCP. >> >> Below is my squid configuration >> >> http_port SQUIDIP:3129 tproxy disable-pmtu-discovery=always >> >> wccp2_router ROUTERIP >> wccp_version 2 >> wccp2_forwarding_method 2 >> wccp2_return_method 2 >> wccp2_assignment_method mask >> wccp2_service dynamic 87 >> wccp2_service_info 87 protocol=tcp flags=src_ip_hash priority=240 >> ports=80 >> wccp2_service dynamic 97 >> wccp2_service_info 97 protocol=tcp flags=dst_ip_hash,ports_source >> priority=240 ports=80 >> >> >> iptables -t mangle -F >> iptables -t mangle -N DIVERT >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> iptables -t mangle -A DIVERT -j ACCEPT >> >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >> iptables -t mangle -A PREROUTING -i eth0 -p tcp ! -s SQUIDIP --dport 80 >> -j >> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 >> >> ip rule add fwmark 1 lookup 100 >> ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 >> >> Squid Version: 3.2.0.12 compiled with libcap2 >> Kernel : 2.6.37-1 >> >> It works with out any problem but in whatismyip.com I see the squid real >> IP address not the real client IP address, I would greatly appreciate >> for >> any idea to resolve this problem. >> >> Many thanks and Best Regards, >> Saleh >> >>> 2011/9/19 Khemara Lyn <lin.kh@xxxxxxxxxxxx>: >>>> Dear Sir Amos, >>>> >>>> Thank you for your response and being helpful always. >>>> >>>> My squid.conf does have that "forwarded_for on" but I think, those >>>> public >>>> upload/download file-sharing sites (fileserve, rapid share, etc.) are >>>> smart >>>> enough to detect the header. >>>> >>>> Or is there a way to find out all the IP ranges used by those sites? >>>> I would like to be able to block those IP ranges in WCCP access list >>>> so >>>> that >>>> accesses to those sites will bypass my Squid box. >>>> >>>> Regards, >>>> Khem >>>> >>>> On 09/20/2011 08:53 AM, Amos Jeffries wrote: >>>>> >>>>> On Mon, 19 Sep 2011 14:59:54 +0700, Khemara Lyn wrote: >>>>>> >>>>>> On 09/18/2011 04:38 PM, Saleh Madi wrote: >>>>>>> >>>>>>> Dears, >>>>>>> >>>>>>> How could I configure the squid appear the clients real IP address >>>>>>> instead of the squid IP address, >>>>>>> the problem is that all clients get the same IP address which make >>>>>>> problems in file sharing websites like mega upload, rapidshare and >>>>>>> others >>>>>>> websites >>>>>>> we use squid in transparent mode with WCCP , please advice how to >>>>>>> resolve this problem. >>>>>>> >>>>>>> Many thanks, >>>>>>> Saleh Madi >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>> >>>>>> I have the same query but doubt if it is possible at all, esp. with >>>>>> WCCP. >>>>>> >>>>>> What I could do so far is that, I configure the Squid box to have >>>>>> multiple IPs and multiple gateways (5 of them) with IPRoute2, "ip >>>>>> route". Each time, it could appear as a different IP but still get >>>>>> blocked by those file-sharing Web sites as you mentioned. >>>>>> >>>>>> I would greatly appreciate for any better idea. >>>>>> >>>>>> Thanks & regards, >>>>>> Khem >>>>> >>>>> >>>>> WCCP passes packets unchanged to the Squid box. >>>>> >>>>> You need two things: >>>>> 1) to pass the IP through, using "forwarded_for on". Which permits >>>>> Squid >>>>> to send the X-Forwarded-For header with Client IP. >>>>> 2) the website to be smart enough to make use of the header. Some >>>>> sites >>>>> do not support or choose not to trust that HTTP header. >>>>> >>>>> >>>>> Alternatively you could setup a transparent proxy with the TPROXY >>>>> feature. >>>>> Spoofing the client inbound IP on the outbound traffic. This does >>>>> work >>>>> with >>>>> WCCP, but is a bit tricky. >>>>> http://wiki.squid-cache.org/Features/Tproxy4 >>>>> >>>>> Amos >>>>> >>>>> >>>> >>>> >>> >>> Maybe you may use a spool of public keys and also use squid >>> url_rewrite capabilitie of 2.7 to cache file so this will reduce that >>> symptom. How may IP's, how to configure squid is not easy to say, it >>> requires analysis but it is a workarround if the X-Forwarded doesnt >>> work. >>> >>> Khem, it is nice to know of you. Please contact me offline. >>> >>> LD >>> http://www.twitter.com/ldlq >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > >
