Hi, Thanks for replying. I did a full transparent tproxy setup for squid proxy on linux(RHEL 6) machine as below: Version: squid-3.5.1 configure options: '--enable-follow-x-forwarded-for' '--enable-linux-netfilter' --enable-ltdl-convenience squid.conf: http_port 3128 http_port 3129 tproxy Linux Kernel Configuration: NF_CONNTRACK=m NETFILTER_TPROXY=m NETFILTER_XT_MATCH_SOCKET=m NETFILTER_XT_TARGET_TPROXY=m Routing configuration: ip -f inet rule add fwmark 1 lookup 100 ip -f inet route add local default dev eth1 table 100 ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local default dev eth1 table 100 echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter iptables Configuration: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 The below machines are on local LAN setup Client IP: 172.16.5.110 Client's gateway: 10.0.0.102 DNS Server IP: 172.16.1.7 (same for both client & squid machine) Web server IP: 216.58.196.110 (google.com) Squid Machine has 2 eth interfaces, eth1 (facing client): 10.0.0.102 eth0 (connecting to web): 172.16.5.102 While browsing, the client is getting connection timeout. After analyzing the squid side traces, i found that client is doing DNS (for google.com) & connecting to that DNS IP on 80 port. Squid is able to intercept the request on 3129 port, doing DNS and trying to connect to google.com (using spoofed client IP) but is getting RST packet. Can you you please tell me what is missing here? Please find the attached trace. Regards, Ambadas -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries Sent: 05 May 2015 20:30 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: [squid-users] Client IP spoofing via squid proxy On 6/05/2015 2:25 a.m., Ambadas Hibare wrote: > Hi, > > I trying to spoof client IP via squid proxy by following squid's > TPROXY4 wiki page: http://wiki.squid-cache.org/Features/Tproxy4 > > But I want to know whether squid can spoof client IP when we send > proxy format HTTP request from Mozilla (ie configuring proxy & port in > mozilla). Can squid proxy behave transparently towards only the web > server & not the client? No. It can be both ways, or just towards the client. > > I've tried sending proxy format HTTP request from client to squid box > (on 3129 tproxy port), but I am getting Header forgery error Also its > trying to connect to itself instead of web server. I am trying to > understand why squid is trying to match host header's DNS with the > destination IP instead of connecting to host header's DNS (like normal > proxy behaviour on port 3128). > To prevent CVE-2009-0801 happening. You must not send regular forward-proxy traffic to a tproxy or intercept port. Forwarding loops are guaranteed if you do. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
Attachment:
Squid102_20150505.pcap
Description: Squid102_20150505.pcap
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
