Re: [squid-users] TProxy not faking source address.

From: Omid Kosari <omidkosari_at_yahoo.com>
Date: Sun, 17 May 2009 12:14:30 -0700 (PDT)

Another thing maybe helpful
when i enable
http_port 3128 intercept
in squid.conf , following message appears in cache.log

cache squid[14701]: IpIntercept.cc(132) NetfilterInterception: NF
getsockopt(SO_ORIGINAL_DST) failed on FD 24: (11) Resource temporarily
unavailable

Omid Kosari wrote:
>
> I have Ubuntu 9.04 (Jaunty) but also squid->client spoofing does not work
> . it shows squid's ip in tproxy mode .
>
> dmesg shows
> [ 21.186636] ip_tables: (C) 2000-2006 Netfilter Core Team
> [ 21.319881] NF_TPROXY: Transparent proxy support initialized, version
> 4.1.0
> [ 21.319884] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
>
> and squid.conf has
>
> http_port 3128
> http_port 3129 tproxy
>
> i have compiled squid with these settings
> ./configure --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3
> --mandir=/usr/share/man --localstatedir=/var --with-logdir=/var/log/squid
> --prefix=/usr --enable-inline --enable-async-io=8
> --enable-storeio="ufs,aufs" --enable-removal-policies="lru,heap"
> --enable-delay-pools --enable-cache-digests --enable-underscores
> --enable-icap-client --enable-follow-x-forwarded-for
> --with-filedescriptors=65536 --with-default-user=proxy
> --enable-large-files --enable-linux-netfilter
> and squid is 3.1.0.7
>
> the debug_options ALL,1 89,6 output is like when we have not debug_options
> at all !!
>
> i had tproxy with my custom kernels but upgraded to Ubuntu 9.04 (Jaunty)
> to prevent custom compiling of kernel and iptables but it does not work
>
>
>
> Amos Jeffries-2 wrote:
>>
>> rihad wrote:
>>> Looks like I'm the only one trying to use TProxy? Somebody else, please?
>>> To summarize: Squid does NOT spoof client's IP address when initiating
>>> connections on its own. Just as if there weren't a thing named "TProxy".
>>
>> We have had a fair few trying it with complete success when its the only
>> thing used. This kind of thing seems to crop up with WCCP, for you and
>> one other.
>>
>> I'm not sure yet what the problem seems to be. Can you check your
>> cache.log for messages about "Stopping full transparency", the rest of
>> the message says why. I've updated the wiki troubleshooting section to
>> list the messages that appear when tproxy is turned off automatically
>> and what needs to be done to fix it.
>>
>> If you can't see any of those please can you set:
>> debug_options ALL,1 89,6
>>
>> to see whats going on?
>>
>> I know the squid->client link should be 100% spoofed. I'm not fully
>> certain the quid->server link is actually spoofed in all cases. Though
>> one report indicates it may be, I have not been able to test it locally
>> yet.
>>
>>
>> Amos
>>
>>
>>>
>>> Original message follows (not to be confused with top-posting):
>>>
>>>> Hello, I'm trying to get TProxy 4.1 to work as outlined here:
>>>> http://wiki.squid-cache.org/Features/Tproxy4
>>>> namely under Ubuntu 9.04 stable/testing mix with the following:
>>>> linux-image-2.6.28-11-server 2.6.28-11.42
>>>> iptables 1.4.3.2-2ubuntu1
>>>> squid-3.1.0.7.tar.bz2 from original sources
>>>>
>>>> Squid has been built this way:
>>>> $ /usr/local/squid/sbin/squid -v
>>>> Squid Cache: Version 3.1.0.7
>>>> configure options: '--enable-linux-netfilter'
>>>> --with-squid=/home/guessed/squid-3.1.0.7 --enable-ltdl-convenience
>>>> (myself I only gave it --enable-linux-netfilter)
>>>>
>>>> squid.conf is pretty much whatever 'make install' created, with my
>>>> changes given at the end, after the blank line:
>>>>
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/32
>>>> acl to_localhost dst 127.0.0.0/8
>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>> acl SSL_ports port 443
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 # https
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl CONNECT method CONNECT
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow localnet
>>>> http_access deny all
>>>> http_port 3128
>>>> hierarchy_stoplist cgi-bin ?
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>> refresh_pattern . 0 20% 4320
>>>> coredump_dir /usr/local/squid/var/cache
>>>>
>>>> cache_dir ufs /usr/local/squid/var/cache 100 16 256
>>>> cache_mem 16 MB
>>>> http_port 3129 tproxy
>>>> visible_hostname tproxy
>>>>
>>>> Then I did:
>>>> iptables -t mangle -N DIVERT
>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>>
>>>> #Use DIVERT to prevent existing connections going through TPROXY twice:
>>>>
>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>
>>>> #Mark all other (new) packets and use TPROXY to pass into Squid:
>>>>
>>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>>
>>>>
>>>> ip rule add fwmark 1 lookup 100
>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>>
>>>> #On each boot startup set:
>>>>
>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>
>>>> ran squid -z and launched squid.
>>>>
>>>> My topology:
>>>> desktop where I sit: one link has address 192.168.0.1/24, the other to
>>>> the Internet
>>>> Squid box: one link: 192.168.0.184/24 (bridged VMware interface on the
>>>> same box as desktop), the other link is custom VMware interface
>>>> 192.168.1.1/24
>>>> The "client" box: single interface 192.168.1.2/24
>>>>
>>>> So, the squid box is directly connected to the outside on the one side,
>>>> and to the client on the other. My desktop's routing knows to reach the
>>>> client through the Squid box, and vice versa, so the port 80 traffic
>>>> under consideration flows through the Squid box in both ways.
>>>>
>>>> Now, after I do this on the "client":
>>>> $ telnet 192.168.0.1 80
>>>> GET / HTTP/1.0
>>>>
>>>> (correct webpage output)
>>>> Connection closed by foreign host.
>>>>
>>>> Nevertheless, in 192.168.0.1's webserver's logs I can see 192.168.0.184
>>>> connecting, not the TProxied 192.168.1.2, as if working under the plain
>>>> ole interception proxying I've been trying to get rid of!
>>>>
>>>> Why?! Counters on the Squid box do get bumped:
>>>>
>>>> $ sudo iptables -t mangle -L -v -n
>>>> Chain PREROUTING (policy ACCEPT 163 packets, 21851 bytes)
>>>> pkts bytes target prot opt in out source
>>>> destination
>>>> 2274 214K DIVERT tcp -- * * 0.0.0.0/0
>>>> 0.0.0.0/0 socket
>>>> 16 920 TPROXY tcp -- * * 0.0.0.0/0
>>>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
>>>> 0x1/0x1
>>>>
>>>> ...
>>>>
>>>> Chain DIVERT (1 references)
>>>> pkts bytes target prot opt in out source
>>>> destination
>>>> 2274 214K MARK all -- * * 0.0.0.0/0
>>>> 0.0.0.0/0 MARK xset 0x1/0xffffffff
>>>> 2274 214K ACCEPT all -- * * 0.0.0.0/0
>>>> 0.0.0.0/0
>>>>
>>>>
>>>> Thanks for any tips.
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
>> Current Beta Squid 3.1.0.7
>>
>>
>
>

-- 
View this message in context: http://www.nabble.com/TProxy-not-faking-source-address.-tp23544464p23586637.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Sun May 17 2009 - 19:14:32 MDT

This archive was generated by hypermail 2.2.0 : Mon May 18 2009 - 12:00:02 MDT