[tproxy] TProxy4 and Squid 3.1.0.5 client address spoofing problem !

Balazs Scheidler bazsi at balabit.hu
Tue Feb 17 11:51:35 CET 2009 

On Sat, 2009-02-07 at 18:30 +0330, Hamid Hashemi wrote:
> Sorry but more complete tethereal out which run filter on destination
> is here : 
> 
> [root at CACHE1 ~]# tethereal host 213.171.218.15 -n              
> Running as user "root" and group "root". This could be dangerous.
> Capturing on eth1
>   0.000000 85.247.162.18 -> 213.171.218.15 HTTP GET / HTTP/1.1 
>   0.000004 213.171.218.15 -> 85.247.162.18 TCP 80 > 39571 [ACK] Seq=1
> Ack=386 Win=62 Len=0 TSV=11294071 TSER=2135261
>   0.000006 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [SYN] Seq=0
> Win=5840 Len=0 MSS=1460 TSV=11294071 TSER=0 WS=7
>   0.199523 213.171.218.15 -> 85.247.162.2 TCP 80 > 35330 [SYN, ACK]
> Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
>   0.199533 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=1
> Ack=1 Win=5888 Len=0 TSV=11294268 TSER=0
>   0.199603 85.247.162.2 -> 213.171.218.15 HTTP GET / HTTP/1.0 
>   0.504191 213.171.218.15 -> 85.247.162.2 TCP [TCP segment of a
> reassembled PDU]
>   0.504199 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451
> Ack=1449 Win=8832 Len=0 TSV=11294570 TSER=52303830
>   0.504241 213.171.218.15 -> 85.247.162.2 HTTP HTTP/1.1 200 OK
> (text/html)
>   0.504246 85.247.162.2 -> 213.171.218.15 TCP 35330 > 80 [ACK] Seq=451
> Ack=2083 Win=11648 Len=0 TSV=11294570 TSER=52303830
>   0.504359 213.171.218.15 -> 85.247.162.18 HTTP HTTP/1.0 200 OK
> (text/html)
>   0.504364 213.171.218.15 -> 85.247.162.18 HTTP Continuation or
> non-HTTP traffic
>   0.504402 213.171.218.15 -> 85.247.162.18 HTTP Continuation or
> non-HTTP traffic
>   0.514428 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK]
> Seq=386 Ack=1449 Win=3386 Len=0 TSV=2135390 TSER=11294570
>   0.514577 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK]
> Seq=386 Ack=1579 Win=3386 Len=0 TSV=2135390 TSER=11294570
>   0.517022 85.247.162.18 -> 213.171.218.15 TCP 39571 > 80 [ACK]
> Seq=386 Ack=2213 Win=4110 Len=0 TSV=2135390 TSER=11294570

This is almost certainly a squid problem. Try straceing the squid
process and check where it binds the socket to when connecting to the
outside world.

If it does not bind() before calling connect(), then the default IP
address is selected by the kernel. The selection is based on the routing
table, the IP address of the outgoing interface is used.

If it calls bind() then the address specified by the bind() call gets
used.

Unluckily I don't really know how squid works.

-- 
Bazsi

More information about the tproxy mailing list