RE: [squid-users] Forward loop detected: what does this mean?

Hello Amos...

> > What does that forward loop mean
>
> Your squid is sending requests out which subsequently arrive
> back to it.

OK.

> > and how could it happen? I've noticed
>
> Most likely your NAT rules are broken. Packets leaving Squid
> MUST NOT be sent back to Squids listening port.

This is my iptables setup:

proxy:/var/log/squid3# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 208K packets, 20M bytes)
 pkts bytes target prot opt in out source
destination
62956 3123K REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3128
   10 548 REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpts:81:83 redir ports 3128
   31 1542 DNAT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpts:20:21 to:172.16.16.254
 4689 277K DNAT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp multiport dports 80,443 to:172.16.16.254
   19 1144 DNAT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 to:172.16.16.254
   14 822 DNAT 47 -- eth1 * 0.0.0.0/0
0.0.0.0/0 to:172.16.16.254
 4170 213K DNAT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25 to:172.16.16.254
    8 444 DNAT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110 to:172.16.16.254
    0 0 DNAT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143 to:172.16.16.254
    0 0 DNAT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5555 to:172.16.16.37
  227 13204 DNAT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp multiport dports 22,873 to:172.16.16.240

Chain INPUT (policy ACCEPT 96511 packets, 7924K bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 341K packets, 21M bytes)
 pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 291K packets, 17M bytes)
 pkts bytes target prot opt in out source
destination
 234K 18M MASQUERADE all -- * eth1 0.0.0.0/0
0.0.0.0/0

What you see there are some services redirected to my internal servers
and the rule for intercepting web traffic...

> Or maybe the requests are for a domain which is pointing at
> your Squid with its IPs.
>
> > that the originating IP was from a PC I had in my LAN which was
> > infected with some sort of mal-/spy-ware...
>
> Or some attempted attack which is being short-circuited by
> setting the attackers domain to point at 0.0.0.0 or
> 127.0.0.1. In which case "http_access deny to_localhost" with
> the default definition of to_localhost should block it before looping.

I get tons of these in the access.log:

1305812157.825 14481 172.16.16.38 TCP_MISS/000 0 GET
http://172.16.16.1:3128/ - DIRECT/172.16.16.1 -
1305812227.706 14095 172.16.16.38 TCP_MISS/000 0 GET
http://172.16.16.1:3128/ - DIRECT/172.16.16.1 -

What could this be meaning? It look like the PC is trying to connect to
the proxy port 3128, which is then directed to itself... uh?!
I'll be further investigating on the client "victim" (172.16.16.38)...

Kind regards,
Flavio Boniforti

PIRAMIDE INFORMATICA SAGL
Via Ballerini 21
6600 Locarno
Switzerland
Phone: +41 91 751 68 81
Fax: +41 91 751 69 14
URL: http://www.piramide.ch
E-mail: flavio_at_piramide.ch
Received on Thu May 19 2011 - 15:01:22 MDT