Re: [squid-users] TProxy not faking source address.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 18 May 2009 12:24:27 +1200 (NZST)

>
> Another thing maybe helpful
> when i enable
> http_port 3128 intercept
> in squid.conf , following message appears in cache.log
>
> cache squid[14701]: IpIntercept.cc(132) NetfilterInterception: NF
> getsockopt(SO_ORIGINAL_DST) failed on FD 24: (11) Resource temporarily
> unavailable
>

I'm aware of that. 'intercept' is a NAT lookup, will throw up errors on
any non-NAT input. 'tproxy' is a spoofed SOCKET lookup.

I don't think any of the basic Ubuntu kernels have the TPROXY options set
yet. That would account for your custom ones working but the general
kernels not.

Amos

>
>
> Omid Kosari wrote:
>>
>> I have Ubuntu 9.04 (Jaunty) but also squid->client spoofing does not
>> work
>> . it shows squid's ip in tproxy mode .
>>
>> dmesg shows
>> [ 21.186636] ip_tables: (C) 2000-2006 Netfilter Core Team
>> [ 21.319881] NF_TPROXY: Transparent proxy support initialized, version
>> 4.1.0
>> [ 21.319884] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
>>
>> and squid.conf has
>>
>> http_port 3128
>> http_port 3129 tproxy
>>
>> i have compiled squid with these settings
>> ./configure --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3
>> --mandir=/usr/share/man --localstatedir=/var
>> --with-logdir=/var/log/squid
>> --prefix=/usr --enable-inline --enable-async-io=8
>> --enable-storeio="ufs,aufs" --enable-removal-policies="lru,heap"
>> --enable-delay-pools --enable-cache-digests --enable-underscores
>> --enable-icap-client --enable-follow-x-forwarded-for
>> --with-filedescriptors=65536 --with-default-user=proxy
>> --enable-large-files --enable-linux-netfilter
>> and squid is 3.1.0.7
>>
>> the debug_options ALL,1 89,6 output is like when we have not
>> debug_options
>> at all !!
>>
>> i had tproxy with my custom kernels but upgraded to Ubuntu 9.04 (Jaunty)
>> to prevent custom compiling of kernel and iptables but it does not work
>>
>>
>>
>> Amos Jeffries-2 wrote:
>>>
>>> rihad wrote:
>>>> Looks like I'm the only one trying to use TProxy? Somebody else,
>>>> please?
>>>> To summarize: Squid does NOT spoof client's IP address when initiating
>>>> connections on its own. Just as if there weren't a thing named
>>>> "TProxy".
>>>
>>> We have had a fair few trying it with complete success when its the
>>> only
>>> thing used. This kind of thing seems to crop up with WCCP, for you and
>>> one other.
>>>
>>> I'm not sure yet what the problem seems to be. Can you check your
>>> cache.log for messages about "Stopping full transparency", the rest of
>>> the message says why. I've updated the wiki troubleshooting section to
>>> list the messages that appear when tproxy is turned off automatically
>>> and what needs to be done to fix it.
>>>
>>> If you can't see any of those please can you set:
>>> debug_options ALL,1 89,6
>>>
>>> to see whats going on?
>>>
>>> I know the squid->client link should be 100% spoofed. I'm not fully
>>> certain the quid->server link is actually spoofed in all cases. Though
>>> one report indicates it may be, I have not been able to test it locally
>>> yet.
>>>
>>>
>>> Amos
>>>
>>>
>>>>
>>>> Original message follows (not to be confused with top-posting):
>>>>
>>>>> Hello, I'm trying to get TProxy 4.1 to work as outlined here:
>>>>> http://wiki.squid-cache.org/Features/Tproxy4
>>>>> namely under Ubuntu 9.04 stable/testing mix with the following:
>>>>> linux-image-2.6.28-11-server 2.6.28-11.42
>>>>> iptables 1.4.3.2-2ubuntu1
>>>>> squid-3.1.0.7.tar.bz2 from original sources
>>>>>
>>>>> Squid has been built this way:
>>>>> $ /usr/local/squid/sbin/squid -v
>>>>> Squid Cache: Version 3.1.0.7
>>>>> configure options: '--enable-linux-netfilter'
>>>>> --with-squid=/home/guessed/squid-3.1.0.7 --enable-ltdl-convenience
>>>>> (myself I only gave it --enable-linux-netfilter)
>>>>>
>>>>> squid.conf is pretty much whatever 'make install' created, with my
>>>>> changes given at the end, after the blank line:
>>>>>
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/32
>>>>> acl to_localhost dst 127.0.0.0/8
>>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>>> acl SSL_ports port 443
>>>>> acl Safe_ports port 80 # http
>>>>> acl Safe_ports port 21 # ftp
>>>>> acl Safe_ports port 443 # https
>>>>> acl Safe_ports port 70 # gopher
>>>>> acl Safe_ports port 210 # wais
>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>> acl Safe_ports port 280 # http-mgmt
>>>>> acl Safe_ports port 488 # gss-http
>>>>> acl Safe_ports port 591 # filemaker
>>>>> acl Safe_ports port 777 # multiling http
>>>>> acl CONNECT method CONNECT
>>>>> http_access allow manager localhost
>>>>> http_access deny manager
>>>>> http_access deny !Safe_ports
>>>>> http_access deny CONNECT !SSL_ports
>>>>> http_access allow localnet
>>>>> http_access deny all
>>>>> http_port 3128
>>>>> hierarchy_stoplist cgi-bin ?
>>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>>> refresh_pattern . 0 20% 4320
>>>>> coredump_dir /usr/local/squid/var/cache
>>>>>
>>>>> cache_dir ufs /usr/local/squid/var/cache 100 16 256
>>>>> cache_mem 16 MB
>>>>> http_port 3129 tproxy
>>>>> visible_hostname tproxy
>>>>>
>>>>> Then I did:
>>>>> iptables -t mangle -N DIVERT
>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>>>
>>>>> #Use DIVERT to prevent existing connections going through TPROXY
>>>>> twice:
>>>>>
>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>>
>>>>> #Mark all other (new) packets and use TPROXY to pass into Squid:
>>>>>
>>>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>>>
>>>>>
>>>>> ip rule add fwmark 1 lookup 100
>>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>>>
>>>>> #On each boot startup set:
>>>>>
>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>>
>>>>> ran squid -z and launched squid.
>>>>>
>>>>> My topology:
>>>>> desktop where I sit: one link has address 192.168.0.1/24, the other
>>>>> to
>>>>> the Internet
>>>>> Squid box: one link: 192.168.0.184/24 (bridged VMware interface on
>>>>> the
>>>>> same box as desktop), the other link is custom VMware interface
>>>>> 192.168.1.1/24
>>>>> The "client" box: single interface 192.168.1.2/24
>>>>>
>>>>> So, the squid box is directly connected to the outside on the one
>>>>> side,
>>>>> and to the client on the other. My desktop's routing knows to reach
>>>>> the
>>>>> client through the Squid box, and vice versa, so the port 80 traffic
>>>>> under consideration flows through the Squid box in both ways.
>>>>>
>>>>> Now, after I do this on the "client":
>>>>> $ telnet 192.168.0.1 80
>>>>> GET / HTTP/1.0
>>>>>
>>>>> (correct webpage output)
>>>>> Connection closed by foreign host.
>>>>>
>>>>> Nevertheless, in 192.168.0.1's webserver's logs I can see
>>>>> 192.168.0.184
>>>>> connecting, not the TProxied 192.168.1.2, as if working under the
>>>>> plain
>>>>> ole interception proxying I've been trying to get rid of!
>>>>>
>>>>> Why?! Counters on the Squid box do get bumped:
>>>>>
>>>>> $ sudo iptables -t mangle -L -v -n
>>>>> Chain PREROUTING (policy ACCEPT 163 packets, 21851 bytes)
>>>>> pkts bytes target prot opt in out source
>>>>> destination
>>>>> 2274 214K DIVERT tcp -- * * 0.0.0.0/0
>>>>> 0.0.0.0/0 socket
>>>>> 16 920 TPROXY tcp -- * * 0.0.0.0/0
>>>>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
>>>>> 0x1/0x1
>>>>>
>>>>> ...
>>>>>
>>>>> Chain DIVERT (1 references)
>>>>> pkts bytes target prot opt in out source
>>>>> destination
>>>>> 2274 214K MARK all -- * * 0.0.0.0/0
>>>>> 0.0.0.0/0 MARK xset 0x1/0xffffffff
>>>>> 2274 214K ACCEPT all -- * * 0.0.0.0/0
>>>>> 0.0.0.0/0
>>>>>
>>>>>
>>>>> Thanks for any tips.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
>>> Current Beta Squid 3.1.0.7
>>>
>>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/TProxy-not-faking-source-address.-tp23544464p23586637.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
>
Received on Mon May 18 2009 - 00:35:15 MDT

This archive was generated by hypermail 2.2.0 : Mon May 18 2009 - 12:00:02 MDT