Search squid archive

Re: how can i get the localport in forward proxy mode?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Amos Jeffries wrote
> On 13/07/2014 2:35 a.m., freefall12 wrote:
>> this is my iptables rules
>> 
>> iptables -A PREROUTING -p tcp -m tcp --dport 30000:60000 -j REDIRECT
>> --to-ports 50000
>> 
>> port 5000 is the squid's listing port. 
>> 
>> What i want to do is to assign each user an unique port number and rely
>> upon
>> the port number in the access log for accounting.
>> 
>> OK,the procedures will be something like this:
>> 
>> 1,When an user register an account at the site, assign the user a random
>> port number and associate it to the username in database
>> 2,Open the port using iptables
>> 3,use the %>lp symbol to record the connected port number in access log.
>> 4,Parse the access log and insert relevant accounting data into the
>> database
>> 5,Automatically ban ip if port scanning is detected
>> 
>>  i'm stuck at the step 3 as i'm unable to get the connected port number
>> in
>> forward proxy mode
>> 
>> Do you think this can work reliably in reality?
> 
> 
> That REDIRECT is a NAT rule. It will definitely need the "intercept"
> option on Squid listening port to fetch the correct client destination
> details as the only thing the OS gives to Squid is its own port 50000.
> Just like you found.
> 
> Getting the traffic into Squid is not the biggest issue though. Since
> you are using NAT to do it you will then face all the traffic
> interception security checks which verify the TCP destination IP address
> the client is going to matches the Host header rDNS records. If they
> dont match, Squid will use the provided IP address directly - which in
> your case will loop back at itself.
> 
> 
> Alternatives:
> 
> You could use the ext_session_acl helper. It was designed for this type
> of user management. In active mode it presents a splash page for user
> login before access is granted to them by configured signature for a
> while.
> 
> The newer ext_session_sql_acl helper is similar, but depends entirely on
> an external identification/login system updating the SQL database which
> it checks for a configured client signature.
> 
> NP: the default signature for these session helpers in demos is usually
> IP address. But there is no technical reason it has to be.
>  In your current plan it is the destination port, but it could just as
> easily be the src-IP and User-Agent header pair for almost unique user
> identification.
> 
> 
> You could also re-build Squid with a larger definition for
> MAXTCPLISTENPORTS in src/anyp/PortCfg.h and configuring multiple
> http_port lines. But this set of ports is scanned sequentially at least
> every 10ms, which could slow down your proxy noticably if the set was
> particularly large.
> 
> You could use IPv6 with EUI-64 ACL verification and require your clients
> to use their SLAAC IPv6 addresses to contact you. Can be tricky to
> ensure the right address is used though.
> 
> Amos

Sorry, i don't know much about iptables.what other iptables rules can i use
to get the correct client destination
details? 

The 2 alternatives you've suggested appear to be not fit for my plan. 

To my knowledge, ext_session_acl will still need a page for
reauthentication, which doesn't work with mobile apps. is that correct?
Also, changing the port range definition a larger may not be a practical
solution when users grow to hundreds or thousands.



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/how-can-i-get-the-localport-in-forward-proxy-mode-tp4666888p4666892.html
Sent from the Squid - Users mailing list archive at Nabble.com.




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux