Re: [squid-users] Squid and iptables

2020-02-14 Thread Amos Jeffries 
On 11/02/20 4:48 am, L.P.H. van Belle wrote:
> Hai, 
>  
> I'm having a squid 4.10 on Debian 10 running ( with strongswan VPN ) and ufw 
> firewall (iptables) 
> Most is running fine but i still see some error and i somehow miss here what 
> im doing wrong. 
> 

You may not be doing anything.

INVALID from Conntrack means the packet is either corrupted at the
binary level, or not supposed to exist, maybe both if the corruption
makes something that looks like a valid but wrong packet.


> So if someone has suggestions that would be great. I see for example these 
> lines in the UFW log. 
> 
> Feb 10 15:42:21 rtd-proxy1 kernel: [14315.762249] [UFW AUDIT INVALID] IN=eth0 
> OUT= MAC=56:30:b7:fd:da:24:84:2b:2b:90:a5:f1:08:00 SRC=192.168.0.101 
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=22171 DF PROTO=TCP 
> SPT=52273 DPT=8080 WINDOW=0 RES=0x00 ACK RST URGP=0
> Feb 10 15:42:21 rtd-proxy1 kernel: [14315.762308] [UFW BLOCK] IN=eth0 OUT= 
> MAC=56:30:b7:fd:da:24:84:2b:2b:90:a5:f1:08:00 SRC=192.168.0.101 
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=22171 DF PROTO=TCP 
> SPT=52273 DPT=8080 WINDOW=0 RES=0x00 ACK RST URGP=0
> 
> Now, strange thing here is im allowing my traffic on my lan interface fully, 
> so i dont see/get why i get these INVALID/BLOCK.
> Im out of ideas, i looked to much at it, i done see it anymore..  :-( 
> 
> The needed parts of my squid and iptables (ufw) setup. 
> ETH0 = LAN  192.168.0.1.0/24  (ip: 192.168.0.1.1/24  )

Too many dots for an IP address. I hope that is manual obfuscation...


> ETH1 = WAN  1.2.4.4/32
>   
> The squid part 
> # From squid cache.log the needed lines from a start of squid with the lines 
> from squid.conf 
> 
> # http_port localhost:3128 connection-auth=off
> 2020/02/10 11:44:13 kid1| Accepting HTTP Socket connections at 
> local=[::1]:3128 remote=[::] FD 17 flags=1 
> # all requests for and on loclhost are trusted, so fully allowed withouth 
> authenticationn. 


NP: "connection-auth=" has nothing to do with whether the connection is
trusted or not. It is about whether the HTTP auth schemes are going to
be used. Disabling it breaks NTLM and Negotiate - the "connection based"
auth schemes.


> 
> # http_port 192.168.249.221:3128 intercept  ( no-authentication possbible on 
> intercept ) 
> 2020/02/10 11:44:13 kid1| Accepting NAT intercepted HTTP Socket connections 
> at local=192.168.0.1.1:3128 remote=[::] FD 21 flags=33
> 

 ... looks to be botched obfuscate. The config line does not match IPs
with the mentioned log line.

BTW, standardized IP ranges like 192.168.* do not really need
obfuscating. They are not (or should not be) globally accessible.


> # https_port 192.168.249.221:3129 intercept ssl-bump \ .. (plus the cert - 
> key parts, not relevant this works ). 
> 2020/02/10 11:44:13 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket 
> connections at local=192.168.0.1.1:3129 remote=[::] FD 25 flags=33
> 
> # Non-proxy aware  (with authentication)
> # http_port 192.168.249.221:8080
> 2020/02/10 11:44:13 kid1| Accepting HTTP Socket connections at 
> local=192.168.0.1.1:8080 remote=[::] FD 29 flags=1
> 
> # http_port 192.168.249.221:8081 ssl-bump \ .. (plus the cert - key parts, 
> not relevant this works ). 
> 2020/02/10 11:44:13 kid1| Accepting SSL bumped HTTP Socket connections at 
> local=192.168.0.1.1:8081 remote=[::] FD 37 flags=1
> 


[ I have unwound the nested tree of sub-chains to follow what is going
on more simply. ]

> 
> # Generated by xtables-save v1.8.2 on Mon Feb 10 15:16:26 2020
> *filter
> :INPUT DROP [213:54000]
> :FORWARD ACCEPT [704:28436]
> :OUTPUT ACCEPT [57:19155]

> -A INPUT -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 
> -j LOG --log-prefix "[UFW AUDIT] "> -A INPUT -i lo -j ACCEPT

This should probably be done *after* the checks and handling of INVALID
traffic.

> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m conntrack --ctstate INVALID -m conntrack --ctstate INVALID -m 
> limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] 
> "
> -A INPUT -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 
> 10 -j LOG --log-prefix "[UFW BLOCK] "
> -A INPUT -m conntrack --ctstate INVALID -j DROP> -A INPUT -i eth0 -p udp -m 
> multiport --dports 80,443 -j DROP

Use REJECT here. HTTP/3 uses these ports and DROP will cause Browsers
etc to have long timeouts on initial connection setup.

> -A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW 
> BLOCK] "

> -A FORWARD -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 
> -j LOG --log-prefix "[UFW AUDIT] "
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW 
> ALLOW] "
> -A FORWARD -p tcp -m conntrack --ctstate NEW -j ACCEPT
> -A FORWARD -p udp -m conntrack --ctstate NEW -j ACCEPT

> -A OUTPUT -m conntrack --ctstate NEW -m limit --limit 3/min

[squid-users] Squid and iptables

2020-02-10 Thread L . P . H . van Belle 
Hai, 
 
I'm having a squid 4.10 on Debian 10 running ( with strongswan VPN ) and ufw 
firewall (iptables) 
Most is running fine but i still see some error and i somehow miss here what im 
doing wrong. 

So if someone has suggestions that would be great. I see for example these 
lines in the UFW log. 

Feb 10 15:42:21 rtd-proxy1 kernel: [14315.762249] [UFW AUDIT INVALID] IN=eth0 
OUT= MAC=56:30:b7:fd:da:24:84:2b:2b:90:a5:f1:08:00 SRC=192.168.0.101 
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=22171 DF PROTO=TCP 
SPT=52273 DPT=8080 WINDOW=0 RES=0x00 ACK RST URGP=0
Feb 10 15:42:21 rtd-proxy1 kernel: [14315.762308] [UFW BLOCK] IN=eth0 OUT= 
MAC=56:30:b7:fd:da:24:84:2b:2b:90:a5:f1:08:00 SRC=192.168.0.101 DST=192.168.0.1 
LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=22171 DF PROTO=TCP SPT=52273 DPT=8080 
WINDOW=0 RES=0x00 ACK RST URGP=0

Now, strange thing here is im allowing my traffic on my lan interface fully, so 
i dont see/get why i get these INVALID/BLOCK.
Im out of ideas, i looked to much at it, i done see it anymore..  :-( 

The needed parts of my squid and iptables (ufw) setup. 
ETH0 = LAN  192.168.0.1.0/24(ip: 192.168.0.1.1/24  )
ETH1 = WAN  1.2.4.4/32  
  
The squid part 
# From squid cache.log the needed lines from a start of squid with the lines 
from squid.conf 

# http_port localhost:3128 connection-auth=off
2020/02/10 11:44:13 kid1| Accepting HTTP Socket connections at local=[::1]:3128 
remote=[::] FD 17 flags=1 
# all requests for and on loclhost are trusted, so fully allowed withouth 
authenticationn. 

# http_port 192.168.249.221:3128 intercept  ( no-authentication possbible on 
intercept ) 
2020/02/10 11:44:13 kid1| Accepting NAT intercepted HTTP Socket connections at 
local=192.168.0.1.1:3128 remote=[::] FD 21 flags=33

# https_port 192.168.249.221:3129 intercept ssl-bump \ .. (plus the cert - key 
parts, not relevant this works ). 
2020/02/10 11:44:13 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket 
connections at local=192.168.0.1.1:3129 remote=[::] FD 25 flags=33

# Non-proxy aware  (with authentication)
# http_port 192.168.249.221:8080
2020/02/10 11:44:13 kid1| Accepting HTTP Socket connections at 
local=192.168.0.1.1:8080 remote=[::] FD 29 flags=1

# http_port 192.168.249.221:8081 ssl-bump \ .. (plus the cert - key parts, not 
relevant this works ). 
2020/02/10 11:44:13 kid1| Accepting SSL bumped HTTP Socket connections at 
local=192.168.0.1.1:8081 remote=[::] FD 37 flags=1


# Generated by xtables-save v1.8.2 on Mon Feb 10 15:16:26 2020
*filter
:INPUT DROP [213:54000]
:FORWARD ACCEPT [704:28436]
:OUTPUT ACCEPT [57:19155]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-reject-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-not-local - [0:0]
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -s 10.1.2.00/24 -d 192.168.0.1.0/24 -i eth1 -m policy --dir in --pol 
ipsec --reqid 8 --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.1.0/24 -d 10.1.2.00/24 -o eth1 -m policy --dir out 
--pol ipsec --reqid 8 --proto esp -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min 
--limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min 
--limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min 
--limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID

Re: [squid-users] squid and iptables

2018-10-13 Thread morteza omidian 
 Cat I Keep Connection marks when I use Tproxy??!
Is "acl aclname clientside_mark mark[/mask]" directive only works on squid4 and 
up??Can i use it in squid3?Is only way to installing squid4 download the source 
code??
Tank You


On Saturday, October 13, 2018, 10:03:33 AM GMT+3:30, Amos Jeffries 
 wrote:  
 
 On 13/10/18 6:08 PM, morteza omidian wrote:
> tanx again.
> Ok, if I want to know connmark of packets and connection in squid and
> then select them with an ACL inside of squid  and then again mark them
> with "tcp_outgoing_mark", is that possible??
> 

Yes.

> In this page  i
> don't see what you said!
> The ACL that be configured only match with clients source ip addresses
> or domain and ..., not connmark!

That is a directive for marking inbound / client connections from the
Squid end - after they have been received.

To fetch an existing mark placed by iptables is an "acl" line. ACL types
are all documented in here:
 

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid and iptables

2018-10-13 Thread Amos Jeffries 
On 13/10/18 6:08 PM, morteza omidian wrote:
> tanx again.
> Ok, if I want to know connmark of packets and connection in squid and
> then select them with an ACL inside of squid  and then again mark them
> with "tcp_outgoing_mark", is that possible??
> 

Yes.

> In this page  i
> don't see what you said!
> The ACL that be configured only match with clients source ip addresses
> or domain and ..., not connmark!

That is a directive for marking inbound / client connections from the
Squid end - after they have been received.

To fetch an existing mark placed by iptables is an "acl" line. ACL types
are all documented in here:
 

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid and iptables

2018-10-12 Thread morteza omidian 
 tanx again.Ok, if I want to know connmark of packets and connection in squid 
and then select them with an ACL inside of squid  and then again mark them with 
"tcp_outgoing_mark", is that possible?? 
In this page i don't see what you said!The ACL that be configured only match 
with clients source ip addresses or domain and ..., not connmark!
On Saturday, October 13, 2018, 5:47:49 AM GMT+3:30, Amos Jeffries 
 wrote:  
 
 On 13/10/18 5:13 AM, morteza omidian wrote:
> 
> Tank you, I see it now.
> It does not help me, I want to have an acl to select traffic (HTTP
> traffic that comes from client to squid) that have a specific packet
> mark and then send them out with another mark. like this:
> In iptables-mangle-PREROUTING: 
> 
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
> 
> In Squid Configuration:
> acl MARKED_PACKETS nfmark 1
> tcp_outgoing_mark 1 MARKED_PACKETS
> 
> Is that possible or not?


What you ask for is not possible.

What you are trying to do *is* possible ...


> I want this kind of marks because I need to determine source interface
> of packets after they go out of squid!

Two things:

 1) the rules you have above *do not* do what you say you are wanting.
The iptables rule marks *everything* on every interface with 0x1.
Overwriting whatever Squid would set.


 2) MARK is the wrong iptables feature to be using. It only marks a
*single* packet per rule/table evaluation and is not accessible to any
software higher up the network stack than iptables itself.


What you should be using is -j CONNMARK. Once a CONNMARK is set on a
connection it is copied by iptables to each following packet on that
same connection. It is also available to layer-4 software like Squid
which have *nothing* to do with individual packets.

The clientside_mark ACL in Squid matches these values and does exactly
what you are wanting.



Think of thing this way:

 MARK - stays within nftables/iptables.

 CONNMARK - stays within the machine. Can go to other software within
the same machine.

 TOS - goes to other machines, and possibly networks.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid and iptables

2018-10-12 Thread Amos Jeffries 
On 13/10/18 5:13 AM, morteza omidian wrote:
> 
> Tank you, I see it now.
> It does not help me, I want to have an acl to select traffic (HTTP
> traffic that comes from client to squid) that have a specific packet
> mark and then send them out with another mark. like this:
> In iptables-mangle-PREROUTING: 
> 
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
> 
> In Squid Configuration:
> acl MARKED_PACKETS nfmark 1
> tcp_outgoing_mark 1 MARKED_PACKETS
> 
> Is that possible or not?


What you ask for is not possible.

What you are trying to do *is* possible ...


> I want this kind of marks because I need to determine source interface
> of packets after they go out of squid!

Two things:

 1) the rules you have above *do not* do what you say you are wanting.
The iptables rule marks *everything* on every interface with 0x1.
Overwriting whatever Squid would set.


 2) MARK is the wrong iptables feature to be using. It only marks a
*single* packet per rule/table evaluation and is not accessible to any
software higher up the network stack than iptables itself.


What you should be using is -j CONNMARK. Once a CONNMARK is set on a
connection it is copied by iptables to each following packet on that
same connection. It is also available to layer-4 software like Squid
which have *nothing* to do with individual packets.

The clientside_mark ACL in Squid matches these values and does exactly
what you are wanting.



Think of thing this way:

 MARK - stays within nftables/iptables.

 CONNMARK - stays within the machine. Can go to other software within
the same machine.

 TOS - goes to other machines, and possibly networks.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid and iptables

2018-10-12 Thread morteza omidian 
 
Tank you, I see it now.It does not help me, I want to have an acl to select 
traffic (HTTP traffic that comes from client to squid) that have a specific 
packet mark and then send them out with another mark. like this:In 
iptables-mangle-PREROUTING:  
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
In Squid Configuration:acl MARKED_PACKETS nfmark 1tcp_outgoing_mark 1 
MARKED_PACKETS

Is that possible or not?I want this kind of marks because I need to determine 
source interface of packets after they go out of squid! 
On Friday, October 12, 2018, 6:37:44 PM GMT+3:30, Antony Stone 
 wrote:  
 
 On Friday 12 October 2018 at 16:41:44, morteza omidian wrote:

> HiI asked my question before.It seems that anybody can not answer it!!

Did you miss the response from Amos?

http://lists.squid-cache.org/pipermail/squid-users/2018-October/019389.html

> As you know, we can mark packets when they go out of squid with
> "tcp_outgoing_mark", this mark is based on Source IP or Source MAC of
> client, but i want to mark them based on mark of input packet, something
> like this: In iptables > mangle > PREROUTING:
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
> In Squid Configuration:acl MARKED_PACKETS nfmark 1tcp_outgoing_mark 1
> MARKED_PACKETS
> 
> 
> Is that possible? How can i solve my problem??
> Tanx

PS: Please do not set "Reply-to" on list emails.

Thanks,


Antony.

-- 
Schrödinger's rule of data integrity: the condition of any backup is unknown 
until a restore is attempted.

                                                  Please reply to the list;
                                                        please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
  ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid and iptables

2018-10-12 Thread Antony Stone 
On Friday 12 October 2018 at 16:41:44, morteza omidian wrote:

> HiI asked my question before.It seems that anybody can not answer it!!

Did you miss the response from Amos?

http://lists.squid-cache.org/pipermail/squid-users/2018-October/019389.html

> As you know, we can mark packets when they go out of squid with
> "tcp_outgoing_mark", this mark is based on Source IP or Source MAC of
> client, but i want to mark them based on mark of input packet, something
> like this: In iptables > mangle > PREROUTING:
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
> In Squid Configuration:acl MARKED_PACKETS nfmark 1tcp_outgoing_mark 1
> MARKED_PACKETS
> 
> 
> Is that possible? How can i solve my problem??
> Tanx

PS: Please do not set "Reply-to" on list emails.

Thanks,


Antony.

-- 
Schrödinger's rule of data integrity: the condition of any backup is unknown 
until a restore is attempted.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid and iptables

2018-10-12 Thread morteza omidian 
HiI asked my question before.It seems that anybody can not answer it!!
As you know, we can mark packets when they go out of squid with 
"tcp_outgoing_mark", this mark is based on Source IP or Source MAC of client, 
but i want to mark them based on mark of input packet, something like this:
In iptables > mangle > PREROUTING:  
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
In Squid Configuration:acl MARKED_PACKETS nfmark 1tcp_outgoing_mark 1 
MARKED_PACKETS


Is that possible? How can i solve my problem??
Tanx
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users