[tproxy] SQUID+TPROXY for assymetric routes
Henry Pootel
Henry.Pootel at regall.net
Wed Sep 18 11:45:53 CEST 2013
Hello.
I've a scheme
+--------+ +---------+ +---------+ +-----+
| client |------| router1 |--------| router2 |------| web |
+--------+ +----+----+ +----+----+ +-----+
| |
| |
| +--------+ |
+---| TPROXY |-----+
+--------+
client IP: 10.10.175.111
web IP: 5.5.5.5
The routing is assymetric.
Packets from "client" to "web" is go through TPROXY, but from
"web" is go directly through "router2" and "router1".
The "TPROXY" is an OpenSuSE 12.3 linux computer with Squid 3.2.11 and
TPROXY v4.1.0 with kernel Linux 3.7.10-1.16-default.
I've attached a diff of tshark dumps of client oungoing and web incoming trafics.
My problem is a changing source port on "TPROXY".
Is the source port may be changed by squid+tproxy? Can I forbid it and keep client's
source port like as client's IP?
Thanks,
Henry
-------------- next part --------------
Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0 Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0
Interface id: 0 Interface id: 0
WTAP_ENCAP: 1 WTAP_ENCAP: 1
Arrival Time: Sep 18, 2013 06:59:17.415630000 FET | Arrival Time: Sep 18, 2013 06:59:17.956502000 FET
[Time shift for this packet: 0.000000000 seconds] [Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1379476757.415630000 seconds | Epoch Time: 1379476757.956502000 seconds
[Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1 Frame Number: 1
Frame Length: 74 bytes (592 bits) Frame Length: 74 bytes (592 bits)
Capture Length: 74 bytes (592 bits) Capture Length: 74 bytes (592 bits)
[Frame is marked: False] [Frame is marked: False]
[Frame is ignored: False] [Frame is ignored: False]
[Protocols in frame: eth:ip:tcp] [Protocols in frame: eth:ip:tcp]
Ethernet II, Src: CadmusCo_e7:88:59 (08:00:27:e7:88:59), Dst: Intel_11:11:00 (00:11:11:11:11:00) | Ethernet II, Src: Schaffne_22:22:01 (00:22:22:22:22:01), Dst: CadmusCo_4a:fe:d2 (08:00:27:4a:fe:
Destination: Intel_11:11:00 (00:11:11:11:11:00) | Destination: CadmusCo_4a:fe:d2 (08:00:27:4a:fe:d2)
Address: Intel_11:11:00 (00:11:11:11:11:00) | Address: CadmusCo_4a:fe:d2 (08:00:27:4a:fe:d2)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: CadmusCo_e7:88:59 (08:00:27:e7:88:59) | Source: Schaffne_22:22:01 (00:22:22:22:22:01)
Address: CadmusCo_e7:88:59 (08:00:27:e7:88:59) | Address: Schaffne_22:22:01 (00:22:22:22:22:01)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800) Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.10.175.111 (10.10.175.111), Dst: 5.5.5.5 (5.5.5.5) Internet Protocol Version 4, Src: 10.10.175.111 (10.10.175.111), Dst: 5.5.5.5 (5.5.5.5)
Version: 4 Version: 4
Header length: 20 bytes Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable
0000 00.. = Differentiated Services Codepoint: Default (0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 60 Total Length: 60
Identification: 0x050b (1291) | Identification: 0x2504 (9476)
Flags: 0x02 (Don't Fragment) Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set 0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set .1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set ..0. .... = More fragments: Not set
Fragment offset: 0 Fragment offset: 0
Time to live: 64 | Time to live: 63
Protocol: TCP (6) Protocol: TCP (6)
Header checksum: 0x2d9d [correct] | Header checksum: 0x0ea4 [correct]
[Good: True] [Good: True]
[Bad: False] [Bad: False]
Source: 10.10.175.111 (10.10.175.111) Source: 10.10.175.111 (10.10.175.111)
Destination: 5.5.5.5 (5.5.5.5) Destination: 5.5.5.5 (5.5.5.5)
[Source GeoIP: Russian Federation] [Source GeoIP: Russian Federation]
[Source GeoIP Country: Russian Federation] [Source GeoIP Country: Russian Federation]
[Destination GeoIP: Europe] [Destination GeoIP: Europe]
[Destination GeoIP Country: Europe] [Destination GeoIP Country: Europe]
Transmission Control Protocol, Src Port: 38988 (38988), Dst Port: http (80), Seq: 0, Len: 0 | Transmission Control Protocol, Src Port: 35640 (35640), Dst Port: http (80), Seq: 0, Len: 0
Source port: 38988 (38988) | Source port: 35640 (35640)
Destination port: http (80) Destination port: http (80)
[Stream index: 0] [Stream index: 0]
Sequence number: 0 (relative sequence number) Sequence number: 0 (relative sequence number)
Header length: 40 bytes Header length: 40 bytes
Flags: 0x002 (SYN) Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set 000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set ...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set .... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set .... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set .... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set .... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set .... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set .... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set .... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port http] [Expert Info (Chat/Sequence): Connection establish request (SYN): server port http]
[Message: Connection establish request (SYN): server port http] [Message: Connection establish request (SYN): server port http]
[Severity level: Chat] [Severity level: Chat]
[Group: Sequence] [Group: Sequence]
.... .... ...0 = Fin: Not set .... .... ...0 = Fin: Not set
Window size value: 14600 Window size value: 14600
[Calculated window size: 14600] [Calculated window size: 14600]
Checksum: 0x0843 [validation disabled] | Checksum: 0xff35 [validation disabled]
[Good Checksum: False] [Good Checksum: False]
[Bad Checksum: False] [Bad Checksum: False]
Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), W Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), W
Maximum segment size: 1460 bytes Maximum segment size: 1460 bytes
Kind: MSS size (2) Kind: MSS size (2)
Length: 4 Length: 4
MSS Value: 1460 MSS Value: 1460
TCP SACK Permitted Option: True TCP SACK Permitted Option: True
Kind: SACK Permission (4) Kind: SACK Permission (4)
Length: 2 Length: 2
Timestamps: TSval 2639665, TSecr 0 | Timestamps: TSval 796675, TSecr 0
Kind: Timestamp (8) Kind: Timestamp (8)
Length: 10 Length: 10
Timestamp value: 2639665 | Timestamp value: 796675
Timestamp echo reply: 0 Timestamp echo reply: 0
No-Operation (NOP) No-Operation (NOP)
Type: 1 Type: 1
0... .... = Copy on fragmentation: No 0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0) .00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1) ...0 0001 = Number: No-Operation (NOP) (1)
Window scale: 7 (multiply by 128) Window scale: 7 (multiply by 128)
Kind: Window Scale (3) Kind: Window Scale (3)
Length: 3 Length: 3
Shift count: 7 Shift count: 7
[Multiplier: 128] [Multiplier: 128]
More information about the tproxy
mailing list