[tproxy] TProxy4 and Squid 3.1.0.5 client address spoofing problem !

Hamid Hashemi hashemi at gmail.com
Sat Feb 7 15:48:24 CET 2009 

Hi,

Here is my situation :


   - CentOS 5.2 ( my own built kernel 2.6.25.11-TProxy-ReiserFS with this
   patch :
   http://www.balabit.com/downloads/files/tproxy/tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2
   )
   - iptables v1.4.3-rc1(
   ftp://ftp.netfilter.org/pub/iptables/snapshot/iptables-20090206.tar.bz2 )
   - squid 3.1.0.5 RC (
   http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.0.5.tar.bz2 ) and
   compiled with these options : "'--enable-poll'
   '--enable-storeio=aufs,diskd,ufs' '--with-pthreads'
   '--enable-removal-policies=heap,lru' '--enable-
   linux-netfilter' '--enable-useragent-log' '--enable-referer-log'
   '--enable-underscores' '--disable-dependency-tracking'
   '--disable-ident-lookups' '--with-large-files'
   '--enable-follow-x-forwarded-for' '--enable-cache-digests'
   '--enable-delay-pools' '--enable-truncate' '--prefix=/usr'
   '--localstatedir=/var' '--sysconfdir=/etc/squid'
   '--with-logdir=/var/log/squid' '--enable-wccpv2' '--enable-wccp'
   '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
   '--with-filedescriptors=8192' --with-squid=/usr/src/squid-3.1.0.5
   --enable-ltdl-convenience\"
   - with following iptables rules :
   [root at CACHE1 squid-3.1.0.5]# service iptables status
   Table: filter
   Chain INPUT (policy ACCEPT)
   num  target     prot opt source               destination

   Chain FORWARD (policy ACCEPT)
   num  target     prot opt source               destination

   Chain OUTPUT (policy ACCEPT)
   num  target     prot opt source               destination

   Table: mangle
   Chain PREROUTING (policy ACCEPT)
   num  target     prot opt source               destination
   1    DIVERT     tcp  --  0.0.0.0/0            0.0.0.0/0           socket
   2    TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
   dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

   Chain INPUT (policy ACCEPT)
   num  target     prot opt source               destination

   Chain FORWARD (policy ACCEPT)
   num  target     prot opt source               destination

   Chain OUTPUT (policy ACCEPT)
   num  target     prot opt source               destination

   Chain POSTROUTING (policy ACCEPT)
   num  target     prot opt source               destination

   Chain DIVERT (1 references)
   num  target     prot opt source               destination
   1    MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
   xset 0x1/0xffffffff
   2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

   [root at CACHE1 squid-3.1.0.5]#
   - With following iproute2 rules : [root at CACHE1 squid-3.1.0.5]# ip ru list
   0:      from all lookup 255
   32765:  from all fwmark 0x1 lookup 100
   32766:  from all lookup main
   32767:  from all lookup default
   [root at CACHE1 squid-3.1.0.5]# ip ro list table 100
   local default dev lo  scope host
   [root at CACHE1 squid-3.1.0.5]#
   - with following http_port line in squid : http_port 3129 tproxy

everything seems to be working and squid run with these messages in
cache.log :
2009/02/07 22:22:43| Accepting  spoofing HTTP connections at 0.0.0.0:3129,
FD 16.

my requests seems to be redirected to port 3129 as I expected and the pages
are loading propertly. But the problem is that when I go to site
http://myipaddress.co.uk/ it gives me the cache ip address instead of my own
client ip address. here is the tethereal output for one of my requests :

[root at CACHE1 squid-3.1.0.5]# tethereal host 85.247.162.18 -n
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
  0.000000 85.247.162.18 -> 213.171.218.15 TCP 57226 > 80 [SYN] Seq=0
Win=5840 Len=0 MSS=1460 TSV=1969980 TSER=0 WS=2
  0.000024 213.171.218.15 -> 85.247.162.18 TCP 80 > 57226 [SYN, ACK] Seq=0
Ack=1 Win=5792 Len=0 MSS=1460 TSV=10639608 TSER=1969980 WS=7
  0.002265 85.247.162.18 -> 213.171.218.15 TCP 57226 > 80 [ACK] Seq=1 Ack=1
Win=5840 Len=0 TSV=1969981 TSER=10639608
  0.004521 85.247.162.18 -> 213.171.218.15 HTTP GET / HTTP/1.1
  0.004529 213.171.218.15 -> 85.247.162.18 TCP 80 > 57226 [ACK] Seq=1
Ack=386 Win=6912 Len=0 TSV=10639612 TSER=1969981
  0.402945 213.171.218.15 -> 85.247.162.18 HTTP HTTP/1.0 200 OK  (text/html)
  0.402950 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP
traffic
  0.412859 85.247.162.18 -> 213.171.218.15 TCP 57226 > 80 [ACK] Seq=386
Ack=1449 Win=8736 Len=0 TSV=1970084 TSER=10640007
  0.412867 213.171.218.15 -> 85.247.162.18 HTTP Continuation or non-HTTP
traffic
  0.413273 85.247.162.18 -> 213.171.218.15 TCP 57226 > 80 [ACK] Seq=386
Ack=1579 Win=8736 Len=0 TSV=1970084 TSER=10640007
  0.418901 85.247.162.18 -> 213.171.218.15 TCP 57226 > 80 [ACK] Seq=386
Ack=2213 Win=11632 Len=0 TSV=1970085 TSER=10640017

Where my client ip address is 85.247.162.18 and my cache server ip address
is 85.247.162.2. This means that the client ip spoofing is not working with
tproxy4. Can any guide me ?

-- 
Regards
Hamid Hashemi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20090207/1e0fa0d9/attachment.htm

More information about the tproxy mailing list