Re: [squid-users] TProxy4 and Squid 3.1.0.5 client address spoofing problem ! from Amos Jeffries on 2009-02-14 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 15 Feb 2009 13:22:08 +1300

Hamid Hashemi wrote:
> Hi,
>
>
> Here is my situation :
>
>
> * CentOS 5.2 ( my own built kernel 2.6.25.11-TProxy-ReiserFS with this patch : http://www.balabit.com/ downloads/files/tproxy/tproxy- kernel-2.6.25-20080519-165031- 1211208631.tar.bz2)
> * iptables v1.4.3-rc1( ftp://ftp.netfilter.org/pub/ iptables/snapshot/iptables- 20090206.tar.bz2 )
> * squid 3.1.0.5 RC ( http://www.squid-cache.org/ Versions/v3/3.1/squid-3.1.0.5. tar.bz2 ) and compiled with these options : "'--enable-poll' '--enable-storeio=aufs,diskd, ufs' '--with-pthreads' '--enable-removal-policies= heap,lru' '--enable-
> linux-netfilter' '--enable-useragent-log' '--enable-referer-log' '--enable-underscores' '--disable-dependency- tracking' '--disable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded- for'
> '--enable-cache-digests' '--enable-delay-pools' '--enable-truncate'
> '--prefix=/usr' '--localstatedir=/var' '--sysconfdir=/etc/squid'
> '--with-logdir=/var/log/squid' '--enable-wccpv2' '--enable-wccp'
> '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
> '--with-filedescriptors=8192' --with-squid=/usr/src/squid-3. 1.0.5 --enable-ltdl-convenience\"
> * with following iptables rules :
> [root_at_CACHE1 squid-3.1.0.5]# service iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Table: mangle
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket
> 2 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
>
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> num target prot opt source destination
>
> Chain DIVERT (1 references)
> num target prot opt source destination
> 1 MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> [root_at_CACHE1 squid-3.1.0.5]#
> * With following iproute2 rules : [root_at_CACHE1 squid-3.1.0.5]# ip ru list
> 0: from all lookup 255
> 32765: from all fwmark 0x1 lookup 100
> 32766: from all lookup main
> 32767: from all lookup default
> [root_at_CACHE1 squid-3.1.0.5]# ip ro list table 100
> local default dev lo scope host
> [root_at_CACHE1 squid-3.1.0.5]#
>
> * with following http_port line in squid : http_port 3129 tproxyeverything seems to be working and squid run with these messages in cache.log :
> 2009/02/07 22:22:43| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 16.
>
> my
> requests seems to be redirected to port 3129 as I expected and the
> pages are loading propertly. But the problem is that when I go to site http://myipaddress.co.uk/ it gives me the cache ip address instead of my own client ip address. here is the tethereal output for one of my requests :
>
> [root_at_CACHE1 ~]# tethereal host 213.171.218.15 -n
>
> Running as user "root" and group "root". This could be dangerous.
> Capturing on eth1
> 0.000000 85.247.162.18 -> 213.171.218.15 HTTP GET / HTTP/1.1
> 0.000004 213.171.218.15 -> 85.247.162.18 TCP 80 > 39571 [ACK] Seq=1 Ack=386 Win=62 Len=0 TSV=11294071 TSER=2135261
> 0.000006 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=11294071 TSER=0 WS=7
> 0.199523 213.171.218.15 -> 85.247.162.2 TCP 80 > 35330 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
> 0.199533 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=11294268 TSER=0
> 0.199603 85.247.162.2 -> 213.171.218.15 HTTP GET / HTTP/1.0
> 0.504191 213.171.218.15 -> 85.247.162.2 TCP [TCP segment of a reassembled PDU]
> 0.504199 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451 Ack=1449 Win=8832 Len=0 TSV=11294570 TSER=52303830
> 0.504241 213.171.218.15 -> 85.247.162.2 HTTP HTTP/1.1 200 OK (text/html)
> 0.504246 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451 Ack=2083 Win=11648 Len=0 TSV=11294570 TSER=52303830
> 0.504359 213.171.218.15 -> 85.247.162.18 HTTP HTTP/1.0 200 OK (text/html)
> 0.504364 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP traffic
> 0.504402 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP traffic
> 0.514428 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=1449 Win=3386 Len=0 TSV=2135390 TSER=11294570
> 0.514577 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=1579 Win=3386 Len=0 TSV=2135390 TSER=11294570
> 0.517022 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK] Seq=386 Ack=2213 Win=4110 Len=0 TSV=2135390 TSER=11294570
>
> Where my client ip address is 85.247.162.18 and my cache server ip
> address is 85.247.162.2. This means that the client ip spoofing is not
> working with tproxy4. Can any guide me ?
>

That tethereal trace appears to show the spoofing going on:

     Client
(85.247.162.18)
       ||
(213.171.218.15)
     Squid
(85.247.162.2)
       ||
(213.171.218.15)
   Web Server

Client identifies itself as connecting to the web server directly.

The server-side bit is not spoofing though.

Does that change with:
iptables -t mangle -A DIVERT -j MARK --set-mark 0x1/0x1

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5

Received on Sun Feb 15 2009 - 00:22:01 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 15 2009 - 12:00:01 MST