Dear all,
This isn't entirely a squid question but more like a "transparent proxying" question (which I'm hoping you guys will be able to help me with)...
As I started playing around with transparent ssl proxying, I learned that Chrome uses an alternate communication (UDP based) protocol called QUIC.
When the browser uses that protocol, Squid obviously isn't used as a proxy, so I'm trying to block QUIC traffic to force the browsers to fall back to HTTP/HTTPS.
At first, I found out that QUIC communicates over UDP 443 but, since blocking traffic from going out on that port didn't seem to work, I decided to use TCPView (on the client computer) and look at tcpdump to try and figure out what other ports does it use...
After looking at TCPView, I was able to see traffic going out on:
tcp 80
tcp 443
tcp 5228
udp 80
udp 443
udp 5353
...so I tried to block traffic going out on those ports:
root@appliance:~# cat /etc/iptables/rules.v4 | grep -i forward
:FORWARD DROP [41:4010]
-A FORWARD -i br0 -p tcp -m tcp --dport 5228 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -p udp -m udp --dport 5353 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
root@appliance:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:5228 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:mdns reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:http reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:https reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@appliance:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 6182 packets, 2536K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1343 packets, 160K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6913 packets, 2386K bytes)
pkts bytes target prot opt in out source destination
root@appliance:~#
The problem is that, although the rules seem to successfully be triggered, the only way I can successfully BLOCK QUIC traffic and make the browser fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP:
iptables -P FORWARD DROP
What I conclude from this is that there MUST be some more FORWARD traffic being originated at Chrome that I have no idea how to catch and filter.
So my question is: how can I completely block QUIC so I can guarantee my traffic will always be redirected to Squid?
Thanks in advance,
Luis
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
