[squid-users] TProxy not faking source address.

From: <admin_at_azuni.net>
Date: Mon, 11 May 2009 22:48:31 +0500

Hello, I'm trying to get TProxy 4.1 to work as outlined here:
http://wiki.squid-cache.org/Features/Tproxy4
namely under Ubuntu 9.04 stable/testing mix with the following:
linux-image-2.6.28-11-server 2.6.28-11.42
iptables 1.4.3.2-2ubuntu1
squid-3.1.0.7.tar.bz2 from original sources

Squid has been built this way:
$ /usr/local/squid/sbin/squid -v
Squid Cache: Version 3.1.0.7
configure options: '--enable-linux-netfilter'
--with-squid=/home/guessed/squid-3.1.0.7 --enable-ltdl-convenience
(myself I only gave it --enable-linux-netfilter)

squid.conf is pretty much whatever 'make install' created, with my
changes given at the end, after the blank line:

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /usr/local/squid/var/cache

cache_dir ufs /usr/local/squid/var/cache 100 16 256
cache_mem 16 MB
http_port 3129 tproxy
visible_hostname tproxy

Then I did:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

#Use DIVERT to prevent existing connections going through TPROXY twice:

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

#Mark all other (new) packets and use TPROXY to pass into Squid:

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

#On each boot startup set:

echo 1 > /proc/sys/net/ipv4/ip_forward

ran squid -z and launched squid.

My topology:
desktop where I sit: one link has address 192.168.0.1/24, the other to
the Internet
Squid box: one link: 192.168.0.184/24 (bridged VMware interface on the
same box as desktop), the other link is custom VMware interface
192.168.1.1/24
The "client" box: single interface 192.168.1.2/24

So, the squid box is directly connected to the outside on the one side,
and to the client on the other. My desktop's routing knows to reach the
client through the Squid box, and vice versa, so the port 80 traffic
under consideration flows through the Squid box in both ways.

Now, after I do this on the "client":
$ telnet 192.168.0.1 80
GET / HTTP/1.0

(correct webpage output)
Connection closed by foreign host.

Nevertheless, in 192.168.0.1's webserver's logs I can see 192.168.0.184
connecting, not the TProxied 192.168.1.2, as if working under the plain
ole interception proxying I've been trying to get rid of!

Why?! Counters on the Squid box do get bumped:

$ sudo iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 163 packets, 21851 bytes)
  pkts bytes target prot opt in out source
destination
  2274 214K DIVERT tcp -- * * 0.0.0.0/0
0.0.0.0/0 socket
    16 920 TPROXY tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

...

Chain DIVERT (1 references)
  pkts bytes target prot opt in out source
destination
  2274 214K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x1/0xffffffff
  2274 214K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0

Thanks for any tips.
Received on Mon May 11 2009 - 21:11:36 MDT

This archive was generated by hypermail 2.2.0 : Tue May 12 2009 - 12:00:02 MDT