Squid doesn't seem to spoof client ip address.
Hello. I have set up fully transpatent http proxy, my problem is: squid sends requests with ip:port of te box running squid instead of clients ip. Here's my config: kernel patch: tproxy4-2.6.26-200809262032 iptables patch: tproxy-iptables-1.4.0-20080521-113954-1211362794 squid: squid-3.HEAD-20081127 iptables & iproute rules:
iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j TPROXY --on-port 3128 --tproxy-mark 0x1/0x1
ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
squid conf:
http_port 192.168.250.2:3128 tproxy
217.97.174.18 - my laptop 212.77.100.101 - some www page tcpdump : 19:06:01.736342 IP 217.97.174.18.53401 > 192.168.250.2.80: S 2658655945:2658655945(0) win 5840 <mss 1440,sackOK,timestamp 6961615 0,nop,wscale 5> 19:06:01.736597 IP 192.168.250.2.80 > 217.97.174.18.53401: S 2655745023:2655745023(0) ack 2658655946 win 5792 <mss 1460,sackOK,timestamp 2617146 6961615,nop,wscale 7> 19:06:01.745935 IP 217.97.174.18.53401 > 192.168.250.2.80: . ack 1 win 183 <nop,nop,timestamp 6961619 2617146> 19:06:15.648614 IP 217.97.174.18.53401 > 192.168.250.2.80: P 1:29(28) ack 1 win 183 <nop,nop,timestamp 6975524 2617146> 19:06:15.648681 IP 192.168.250.2.80 > 217.97.174.18.53401: . ack 29 win 46 <nop,nop,timestamp 2620624 6975524> 19:06:17.130355 IP 217.97.174.18.53401 > 192.168.250.2.80: P 29:31(2) ack 1 win 183 <nop,nop,timestamp 6977004 2620624> 19:06:17.130447 IP 192.168.250.2.80 > 217.97.174.18.53401: . ack 31 win 46 <nop,nop,timestamp 2620994 6977004> 19:06:17.131289 IP 192.168.250.2.59447 > 212.77.100.101.80: S 2887325147:2887325147(0) win 5840 <mss 1460,sackOK,timestamp 2620994 0,nop,wscale 7> 19:06:17.353255 IP 217.97.174.18.34317 > 192.168.250.2.80: S 2917413960:2917413960(0) win 5840 <mss 1440,sackOK,timestamp 6977231 0,nop,wscale 5> 19:06:17.353338 IP 192.168.250.2.80 > 217.97.174.18.34317: S 2895521199:2895521199(0) ack 2917413961 win 5792 <mss 1460,sackOK,timestamp 2621050 6977231,nop,wscale 7> 19:06:17.357848 IP 217.97.174.18.34317 > 192.168.250.2.80: . ack 1 win 183 <nop,nop,timestamp 6977235 2621050> 19:06:17.358077 IP 217.97.174.18.34317 > 192.168.250.2.80: P 1:360(359) ack 1 win 183 <nop,nop,timestamp 6977235 2621050> 19:06:17.358133 IP 192.168.250.2.80 > 217.97.174.18.34317: . ack 360 win 54 <nop,nop,timestamp 2621051 6977235> 19:06:17.358230 IP 192.168.250.2.39336 > 217.97.173.21.80: S 2890323424:2890323424(0) win 5840 <mss 1460,sackOK,timestamp 2621051 0,nop,wscale 7> 19:06:17.358467 IP 217.97.173.21.80 > 192.168.250.2.39336: S 3189038941:3189038941(0) ack 2890323425 win 5792 <mss 1460,sackOK,timestamp 117140974 2621051,nop,wscale 7> 19:06:17.358530 IP 192.168.250.2.39336 > 217.97.173.21.80: . ack 1 win 46 <nop,nop,timestamp 2621051 117140974> 19:06:17.358671 IP 192.168.250.2.39336 > 217.97.173.21.80: P 1:462(461) ack 1 win 46 <nop,nop,timestamp 2621051 117140974> 19:06:17.358958 IP 217.97.173.21.80 > 192.168.250.2.39336: . ack 462 win 54 <nop,nop,timestamp 117140975 2621051> 19:06:17.427512 IP 217.97.173.21.80 > 192.168.250.2.39336: . 1:1449(1448) ack 462 win 54 <nop,nop,timestamp 117140992 2621051>
Hi, On v, nov 30, 2008 at 07:13:22 +0100, Przemysław Kudyba wrote:
Hello.
I have set up fully transpatent http proxy, my problem is: squid sends requests with ip:port of te box running squid instead of clients ip.
Here's my config:
kernel patch: tproxy4-2.6.26-200809262032 iptables patch: tproxy-iptables-1.4.0-20080521-113954-1211362794 squid: squid-3.HEAD-20081127
iptables & iproute rules:
iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j TPROXY --on-port 3128 --tproxy-mark 0x1/0x1
ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
squid conf:
http_port 192.168.250.2:3128 tproxy
217.97.174.18 - my laptop 212.77.100.101 - some www page
Do you have other http_ports defined? Does it change anything if you use http_port 3128 tproxy that is, you omit the IP from the listener config? If not, can you get detailed debug logs from squid? -- KOVACS Krisztian
KOVACS Krisztian pisze:
Hi,
Do you have other http_ports defined? Does it change anything if you use
http_port 3128 tproxy
that is, you omit the IP from the listener config?
If not, can you get detailed debug logs from squid?
Well, i should first think, then click 'send'. (i should thind twice, resending to the mailing list) First: I missed 'Missing needed capability /support/. Will /continue without tproxy support/" in my cache log. Afret installing libcap and putting capabilities.h into right place it worked ;) ( kernel: 2.6.28-rc7, iptables: 1.4.3-rc1, gentoo version of squid-2.7-stable4 with patch from https://lists.balabit.hu/pipermail/tproxy/2008-September/000944.html ) Second: My network topology was: |---------| |---------| |-------| | LAN |--| router |--| WAN | |---------| |---------| |-------| | |---------| | tproxy | |---------| i think, that conntrack on router was making something uncool with http downstream, SYN packets were arriving to tproxy box, but i wasn't able to redirect downstream to tproxy box. after upgrading to: |---------| |---------| |---------| |-------| | LAN |--| tproxy |----------| router |--| WAN | |---------| |---------| |---------| |-------| it started to work, but i had some problems with tproxy in bridge mode, after laoding: INSIDE_DEV=eth0 OUTSIDE_DEV=eth1 ebtables -t broute -A BROUTING -i $INSIDE_DEV -p ipv4 \ --ip-protocol tcp --ip-destination-port 80 \ -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i $OUTSIDE_DEV -p ipv4 \ --ip-protocol tcp --ip-source-port 80 \ -j redirect --redirect-target DROP my bridge started to drop ipv4 traffic with src other than 10.0.0.0/8 (br0 has address 10.1.1.46/8, and gw: 10.1.1.201 ) - PPPoE and ARP packets were passing without problems, but other routed ips were dropped.
participants (2)
-
KOVACS Krisztian
-
Przemysław Kudyba