Re: [squid-users] squid transparent nat interception

From: Amos Jeffries <>
Date: Fri, 31 Aug 2012 01:18:37 +1200

On 30/08/2012 10:23 p.m., Pawel Mojski wrote:
> W dniu 30-Aug-12 11:13, Eliezer Croitoru pisze:
>> as i said you must change the DNAT rule and be more explicit because
>> it will cause a loop when squid tries to read port 80 it will be
>> dnated to itself.
>> since these squid versions you are talking about are at my sleeve it
>> must be the reason.
> Eliezer,
> As i mentioned before, the problem isn't on gateway or redirection.
> The problem is in new imprementation of "transparent" proxy type in
> squid 3.2.
> In 3.1 version when client connected to transparent port, squid was
> read Host: header, then resolve hostname to ip address and connect to
> resolved ip addres.

Causing a major security vulnerability in the process. The vulnerability
has now been fixed in 3.2. Resulting in....

> In 3.2 version squid reads destination address from tcp SYN packet
> then connect to this ip address.

NOTE: that only happens IF, the Host header domain does not match the
SYN packet destination IP address. Or client_dst_passthru is turned ON

Given that Squid is finding its own IP in the SYN packet, config options
are not going to fix it magically back to a remote domain IP. In
preparation for this change in 3.2 I've been saying (and documenting
everywhere possible) for over two years now that when intercepting
traffic into Squid the NAT *MUST* be performed on the Squid box. Use
normal packet routing ("policy routing") in external devices to forward
the packets at the Squid box properly then do the NAT there.
  See your router vendors documentation for details on policy routing
configuration. We supply
written specifically for LInux routers or similar WRT home-user devices
if you are dealing with those.

> So, when transparent is implemented as "REDIRECT" squid receive
> original tcp SYN packet and have original destination address, so
> squid are able to connect to original destination server.
> When transparent is implemented as "DNAT", original destination
> address is replaced by DNAT address and DNAT address is a squid
> addres, so squid are trying to connect to itself.
> And that's why I have a problem. I have to force squid to use old
> (like in 3.1) transparent connection mechanism.

No. You just need the NAT to happen on the Squid box. That way Squid has
access to the pre-NAT IP address and will un-NAT the server traffic back
to the original destination after filtering.

FYI: DNAT and REDIRECT are almost identical. The only behaviour
difference is that DNAT requires a static fixed-IP and REDIRECT uses the
box primary IP (suitable for DHCP assigned machines, such as a drop-in
proxy device).

Received on Thu Aug 30 2012 - 13:18:48 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 30 2012 - 12:00:04 MDT