[tproxy] Squid doesn't seem to spoof client ip address.

Przemysław Kudyba przemekk at ingram.com.pl
Sun Nov 30 19:13:22 CET 2008 

Hello.

I have set up fully transpatent http proxy, my problem is:
squid sends requests with ip:port of te box running squid instead of
clients ip.

Here's my config:

kernel patch: tproxy4-2.6.26-200809262032
iptables patch: tproxy-iptables-1.4.0-20080521-113954-1211362794
squid: squid-3.HEAD-20081127


iptables & iproute rules:
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
>
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j TPROXY
> --on-port 3128 --tproxy-mark 0x1/0x1
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
squid conf:
> http_port 192.168.250.2:3128 tproxy

217.97.174.18 - my laptop
212.77.100.101  - some www page

tcpdump :

19:06:01.736342 IP 217.97.174.18.53401 > 192.168.250.2.80: S
2658655945:2658655945(0) win 5840 <mss 1440,sackOK,timestamp 6961615
0,nop,wscale 5>
19:06:01.736597 IP 192.168.250.2.80 > 217.97.174.18.53401: S
2655745023:2655745023(0) ack 2658655946 win 5792 <mss
1460,sackOK,timestamp 2617146 6961615,nop,wscale 7>
19:06:01.745935 IP 217.97.174.18.53401 > 192.168.250.2.80: . ack 1 win
183 <nop,nop,timestamp 6961619 2617146>
19:06:15.648614 IP 217.97.174.18.53401 > 192.168.250.2.80: P 1:29(28)
ack 1 win 183 <nop,nop,timestamp 6975524 2617146>
19:06:15.648681 IP 192.168.250.2.80 > 217.97.174.18.53401: . ack 29 win
46 <nop,nop,timestamp 2620624 6975524>
19:06:17.130355 IP 217.97.174.18.53401 > 192.168.250.2.80: P 29:31(2)
ack 1 win 183 <nop,nop,timestamp 6977004 2620624>
19:06:17.130447 IP 192.168.250.2.80 > 217.97.174.18.53401: . ack 31 win
46 <nop,nop,timestamp 2620994 6977004>
19:06:17.131289 IP 192.168.250.2.59447 > 212.77.100.101.80: S
2887325147:2887325147(0) win 5840 <mss 1460,sackOK,timestamp 2620994
0,nop,wscale 7>
19:06:17.353255 IP 217.97.174.18.34317 > 192.168.250.2.80: S
2917413960:2917413960(0) win 5840 <mss 1440,sackOK,timestamp 6977231
0,nop,wscale 5>
19:06:17.353338 IP 192.168.250.2.80 > 217.97.174.18.34317: S
2895521199:2895521199(0) ack 2917413961 win 5792 <mss
1460,sackOK,timestamp 2621050 6977231,nop,wscale 7>
19:06:17.357848 IP 217.97.174.18.34317 > 192.168.250.2.80: . ack 1 win
183 <nop,nop,timestamp 6977235 2621050>
19:06:17.358077 IP 217.97.174.18.34317 > 192.168.250.2.80: P 1:360(359)
ack 1 win 183 <nop,nop,timestamp 6977235 2621050>
19:06:17.358133 IP 192.168.250.2.80 > 217.97.174.18.34317: . ack 360 win
54 <nop,nop,timestamp 2621051 6977235>
19:06:17.358230 IP 192.168.250.2.39336 > 217.97.173.21.80: S
2890323424:2890323424(0) win 5840 <mss 1460,sackOK,timestamp 2621051
0,nop,wscale 7>
19:06:17.358467 IP 217.97.173.21.80 > 192.168.250.2.39336: S
3189038941:3189038941(0) ack 2890323425 win 5792 <mss
1460,sackOK,timestamp 117140974 2621051,nop,wscale 7>
19:06:17.358530 IP 192.168.250.2.39336 > 217.97.173.21.80: . ack 1 win
46 <nop,nop,timestamp 2621051 117140974>
19:06:17.358671 IP 192.168.250.2.39336 > 217.97.173.21.80: P 1:462(461)
ack 1 win 46 <nop,nop,timestamp 2621051 117140974>
19:06:17.358958 IP 217.97.173.21.80 > 192.168.250.2.39336: . ack 462 win
54 <nop,nop,timestamp 117140975 2621051>
19:06:17.427512 IP 217.97.173.21.80 > 192.168.250.2.39336: .
1:1449(1448) ack 462 win 54 <nop,nop,timestamp 117140992 2621051>

More information about the tproxy mailing list