[squid-users] TProxy4 and Squid 3.1.0.5 client address spoofing problem !

From: Hamid Hashemi <hamid.hashemi_at_yahoo.com>
Date: Sun, 8 Feb 2009 14:11:23 -0800 (PST)

Hi,

Here is my situation :

    * CentOS 5.2 ( my own built kernel 2.6.25.11-TProxy-ReiserFS with this patch : http://www.balabit.com/ downloads/files/tproxy/tproxy- kernel-2.6.25-20080519-165031- 1211208631.tar.bz2)
    * iptables v1.4.3-rc1( ftp://ftp.netfilter.org/pub/ iptables/snapshot/iptables- 20090206.tar.bz2 )
    * squid 3.1.0.5 RC ( http://www.squid-cache.org/ Versions/v3/3.1/squid-3.1.0.5. tar.bz2 ) and compiled with these options : "'--enable-poll' '--enable-storeio=aufs,diskd, ufs' '--with-pthreads' '--enable-removal-policies= heap,lru' '--enable-
linux-netfilter' '--enable-useragent-log' '--enable-referer-log' '--enable-underscores' '--disable-dependency- tracking' '--disable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded- for'
'--enable-cache-digests' '--enable-delay-pools' '--enable-truncate'
'--prefix=/usr' '--localstatedir=/var' '--sysconfdir=/etc/squid'
'--with-logdir=/var/log/squid' '--enable-wccpv2' '--enable-wccp'
'--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--with-filedescriptors=8192' --with-squid=/usr/src/squid-3. 1.0.5 --enable-ltdl-convenience\"
    * with following iptables rules :
[root_at_CACHE1 squid-3.1.0.5]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket
2 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination

Chain DIVERT (1 references)
num target prot opt source destination
1 MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

[root_at_CACHE1 squid-3.1.0.5]#
    * With following iproute2 rules : [root_at_CACHE1 squid-3.1.0.5]# ip ru list
0: from all lookup 255
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default
[root_at_CACHE1 squid-3.1.0.5]# ip ro list table 100
local default dev lo scope host
[root_at_CACHE1 squid-3.1.0.5]#

    * with following http_port line in squid : http_port 3129 tproxyeverything seems to be working and squid run with these messages in cache.log :
2009/02/07 22:22:43| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 16.

my
requests seems to be redirected to port 3129 as I expected and the
pages are loading propertly. But the problem is that when I go to site http://myipaddress.co.uk/ it gives me the cache ip address instead of my own client ip address. here is the tethereal output for one of my requests :

[root_at_CACHE1 ~]# tethereal host 213.171.218.15 -n

Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
  0.000000 85.247.162.18 -> 213.171.218.15 HTTP GET / HTTP/1.1
  0.000004 213.171.218.15 -> 85.247.162.18 TCP 80 > 39571 [ACK] Seq=1 Ack=386 Win=62 Len=0 TSV=11294071 TSER=2135261
  0.000006 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=11294071 TSER=0 WS=7
  0.199523 213.171.218.15 -> 85.247.162.2 TCP 80 > 35330 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
  0.199533 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=11294268 TSER=0
  0.199603 85.247.162.2 -> 213.171.218.15 HTTP GET / HTTP/1.0
  0.504191 213.171.218.15 -> 85.247.162.2 TCP [TCP segment of a reassembled PDU]
  0.504199 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451 Ack=1449 Win=8832 Len=0 TSV=11294570 TSER=52303830
  0.504241 213.171.218.15 -> 85.247.162.2 HTTP HTTP/1.1 200 OK (text/html)
  0.504246 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451 Ack=2083 Win=11648 Len=0 TSV=11294570 TSER=52303830
  0.504359 213.171.218.15 -> 85.247.162.18 HTTP HTTP/1.0 200 OK (text/html)
  0.504364 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP traffic
  0.504402 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP traffic
  0.514428 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=1449 Win=3386 Len=0 TSV=2135390 TSER=11294570
  0.514577 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=1579 Win=3386 Len=0 TSV=2135390 TSER=11294570
  0.517022 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=2213 Win=4110 Len=0 TSV=2135390 TSER=11294570

Where my client ip address is 85.247.162.18 and my cache server ip
address is 85.247.162.2. This means that the client ip spoofing is not
working with tproxy4. Can any guide me ?

-- 
Regards
Hamid Hashemi
      
Received on Sun Feb 08 2009 - 22:11:32 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 09 2009 - 12:00:02 MST