Re: [squid-users] TProxy4 and Squid 3.1.0.5 client address spoofing problem ! from Amos Jeffries on 2009-02-08 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 9 Feb 2009 11:36:10 +1300 (NZDT)

>
> Hi,
>
>
>
> Here is my situation :
>
>
> * CentOS 5.2 ( my own built kernel 2.6.25.11-TProxy-ReiserFS with this
> patch : http://www.balabit.com/ downloads/files/tproxy/tproxy-
> kernel-2.6.25-20080519-165031- 1211208631.tar.bz2)
> * iptables v1.4.3-rc1( ftp://ftp.netfilter.org/pub/
> iptables/snapshot/iptables- 20090206.tar.bz2 )
> * squid 3.1.0.5 RC ( http://www.squid-cache.org/
> Versions/v3/3.1/squid-3.1.0.5. tar.bz2 ) and compiled with these
> options : "'--enable-poll' '--enable-storeio=aufs,diskd, ufs'
> '--with-pthreads' '--enable-removal-policies= heap,lru' '--enable-
> linux-netfilter' '--enable-useragent-log' '--enable-referer-log'
> '--enable-underscores' '--disable-dependency- tracking'
> '--disable-ident-lookups' '--with-large-files'
> '--enable-follow-x-forwarded- for'
> '--enable-cache-digests' '--enable-delay-pools' '--enable-truncate'
> '--prefix=/usr' '--localstatedir=/var' '--sysconfdir=/etc/squid'
> '--with-logdir=/var/log/squid' '--enable-wccpv2' '--enable-wccp'
> '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
> '--with-filedescriptors=8192' --with-squid=/usr/src/squid-3. 1.0.5
> --enable-ltdl-convenience\"
> * with following iptables rules :
> [root_at_CACHE1 squid-3.1.0.5]# service iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Table: mangle
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket
> 2 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
>
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> num target prot opt source destination
>
> Chain DIVERT (1 references)
> num target prot opt source destination
> 1 MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK
> xset 0x1/0xffffffff

I'm suspecting the mark of "0x1/0xffffffff" originally in the tutorial was
a typo.
Does it work any better when you change that to "0x1/0x1" ?

Amos

> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> [root_at_CACHE1 squid-3.1.0.5]#
> * With following iproute2 rules : [root_at_CACHE1 squid-3.1.0.5]# ip ru
> list
> 0: from all lookup 255
> 32765: from all fwmark 0x1 lookup 100
> 32766: from all lookup main
> 32767: from all lookup default
> [root_at_CACHE1 squid-3.1.0.5]# ip ro list table 100
> local default dev lo scope host
> [root_at_CACHE1 squid-3.1.0.5]#
>
> * with following http_port line in squid : http_port 3129
> tproxyeverything seems to be working and squid run with these messages
> in cache.log :
> 2009/02/07 22:22:43| Accepting spoofing HTTP connections at 0.0.0.0:3129,
> FD 16.
>
> my
> requests seems to be redirected to port 3129 as I expected and the
> pages are loading propertly. But the problem is that when I go to site
> http://myipaddress.co.uk/ it gives me the cache ip address instead of my
> own client ip address. here is the tethereal output for one of my requests
> :
>
> [root_at_CACHE1 ~]# tethereal host 213.171.218.15 -n
>
> Running as user "root" and group "root". This could be dangerous.
> Capturing on eth1
> 0.000000 85.247.162.18 -> 213.171.218.15 HTTP GET / HTTP/1.1
> 0.000004 213.171.218.15 -> 85.247.162.18 TCP 80 > 39571 [ACK] Seq=1
> Ack=386 Win=62 Len=0 TSV=11294071 TSER=2135261
> 0.000006 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [SYN] Seq=0
> Win=5840 Len=0 MSS=1460 TSV=11294071 TSER=0 WS=7
> 0.199523 213.171.218.15 -> 85.247.162.2 TCP 80 > 35330 [SYN, ACK] Seq=0
> Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
> 0.199533 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=1 Ack=1
> Win=5888 Len=0 TSV=11294268 TSER=0
> 0.199603 85.247.162.2 -> 213.171.218.15 HTTP GET / HTTP/1.0
> 0.504191 213.171.218.15 -> 85.247.162.2 TCP [TCP segment of a
> reassembled PDU]
> 0.504199 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451
> Ack=1449 Win=8832 Len=0 TSV=11294570 TSER=52303830
> 0.504241 213.171.218.15 -> 85.247.162.2 HTTP HTTP/1.1 200 OK
> (text/html)
> 0.504246 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451
> Ack=2083 Win=11648 Len=0 TSV=11294570 TSER=52303830
> 0.504359 213.171.218.15 -> 85.247.162.18 HTTP HTTP/1.0 200 OK
> (text/html)
> 0.504364 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP
> traffic
> 0.504402 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP
> traffic
> 0.514428 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386
> Ack=1449 Win=3386 Len=0 TSV=2135390 TSER=11294570
> 0.514577 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386
> Ack=1579 Win=3386 Len=0 TSV=2135390 TSER=11294570
> 0.517022 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386
> Ack=2213 Win=4110 Len=0 TSV=2135390 TSER=11294570
>
> Where my client ip address is 85.247.162.18 and my cache server ip
> address is 85.247.162.2. This means that the client ip spoofing is not
> working with tproxy4. Can any guide me ?
>
> --
> Regards
> Hamid Hashemi
>
>
>
>
>
Received on Sun Feb 08 2009 - 22:36:16 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 09 2009 - 12:00:02 MST