Re: linux and ipchains

Oskar Pearson wrote:

> > It is however possible to do slight modifications to both Squid and
> > Linux to allow Squid to use the IP address of the requestor, but you
> > need to be very careful with your routing when doing such things.. More
> > information available on request to people with good knowledge of TCP/IP
> > routing and not afraid of coding C or modifying their kernel.
>
> I am interested. Got example code somewhere?

Yes and no. I have successfully guided another fellow hacker (Conrad
Micallef <conrad@comicom.waldonet.net.mt>) through the process.

What it involves:

The basic TCP/IP functionality is available as part of Linux
IP_TRANSPARENT_PROXY_SUPPORT option, but you need to bypass some
security restrictions on which processes thay may make use of the
feature. Linux 2.0.X needs a one-line patch [attached]. For Linux 2.2.X
it may be possible to make use of capabilities without patching the
kernel, but I have not fully understood how to do so.

You then need to make some small modifications to Squid to pass the
client address instead of Config.Addrs.tcp_outgoing when calling
comm_open in forward.c, and set maximum_single_addr_tries to 1 (or is it
0) to disable some buggy connect retries done in comm.c (forward.c also
retries, so the comm.c code is mostly useless today). To make use of the
Linux patch Squid also needs to perform a privileged operation (like
binding to a privileged port) before dropping root privileges (maybe
dropping the root privileges in itself is enough to trigger the patch, I
don't know).

You also needs to disable the use of persistent server connections or
change the pconn cache to include the client address (== local endpoint
IP address) in the connection cache key (pconnPop/pconnPush).

/Henrik

    [ Part 2: "Attached Text" ]

--- linux/net/ipv4/af_inet.c.orig Sun Mar 14 00:52:58 1999
+++ linux/net/ipv4/af_inet.c Sun Mar 14 00:56:59 1999
@@ -631,8 +631,12 @@
         if (addr->sin_addr.s_addr != 0 && chk_addr_ret != IS_MYADDR &&
             chk_addr_ret != IS_MULTICAST && chk_addr_ret != IS_BROADCAST) {
 #ifdef CONFIG_IP_TRANSPARENT_PROXY
- /* Superuser may bind to any address to allow transparent proxying. */
- if(!suser())
+ /* Superuser may bind to any address to allow transparent
+ * proxying. Also allow binding if the process has used
+ * superuser privilegies like binding to a privilegied port,
+ * but given up superuser privs prior to this binding.
+ */
+ if(!suser() && !current->flags & PF_SUPERPRIV)
 #endif
                         return(-EADDRNOTAVAIL); /* Source address MUST be ours! */
         }
Received on Tue Jul 29 2003 - 13:15:59 MDT