subject:"\[squid\-users\] transparent tproxy\: routing issue or my own problem \?"

[squid-users] transparent tproxy: routing issue or my own problem ?

2007-07-05 Thread Ming-Ching Tiew



This is long I appreciate you patience.

I am using squid in a Linux box setting up as a bridge, and have
set up ebtables and iptables following the documentation
available on the Net :-

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
  --ip-destination-port 80 -j redirect --redirect-target ACCEPT

iptables -t tproxy -A PREROUTING -i br0 -p tcp --dport 80 \
  -j TPROXY --on-port 80

# this don't seem to have impact by I have put in anyway
for i in /proc/sys/net/ipv4/conf/*/rp_filter
do
 echo 0 > $i
done

On a brief glance it seems it's working properly but upon detail
investigation,
there are some issues.

This is my observation :-

If I place the Bridge/Squid S in a subnet A  before the default internet
gateway D, then all the machines inside the same subnet A can be
serviced by the squid cache engine. Sniffing confirmed that the source
IP has been spoofed by Bridge/Squid S.

However, if there is a subnet B, which is connected to subnet A, via
a router R, then all the machines inside subnet B will have problem
getting the http reply packets but http request packets have no
problem going out.

Note that none-http packets because it has not been redirected by the
ebtable rules, have no problem at all. This shows that the routing
outside of the Bridge/Squid, have all been set up correctly.

Then I added a route inside the Bridge/Squid S for the subnet B via
router R, then the web request/reply problem is solved.

It seems then to me that the http reply ( source port 80 ) has also be
directed ***INTO*** the Bridge/Squid S. Why is that so ? Why didn't the
Bridge/Squid forward the reply packet to the other side of the
interface ?

I am looking for something more transparent. Any insight is much
appreciated.

p/s :-

The logs I capture using tcpdump on the squid machine before and after I
added the route. Network B 10.6.1.0/24, Network A 192.168.128.0/18,
Router R  10.6.1.1<-->192.168.128.50,  Squid 192.168.128.20.

Before :-

squid:~> tcpdump -ni br0 host 10.6.1.2 and port 80
tcpdump: WARNING: br0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 68 bytes
09:06:12.974206 IP 10.6.1.2.39895 > 192.168.128.20.80: S
3302818155:3302818155(0) win 5840 
09:06:12.974252 IP 66.249.89.99.80 > 10.6.1.2.39895: S
3648928734:3648928734(0) ack 3302818156 win 5792 
09:06:15.974464 IP 10.6.1.2.39895 > 192.168.128.20.80: S
3302818155:3302818155(0) win 5840 
09:06:15.974492 IP 66.249.89.99.80 > 10.6.1.2.39895: S
3648928734:3648928734(0) ack 3302818156 win 5792 
09:06:16.233344 IP 66.249.89.99.80 > 10.6.1.2.39893: S
3551948981:3551948981(0) ack 3215288824 win 5792 
0


squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
09:03:46.982444 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0) ack 3133545990 win 5792 
09:03:49.982585 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0) ack 3133545990 win 5792 
09:03:50.334072 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0)

squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
09:03:46.982444 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0) ack 3133545990 win 5792 
09:03:49.982585 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0) ack 3133545990 win 5792 
09:03:50.334072 IP 66.249.89.104.80 > 10.6.1.2.48082: S
3479803592:3479803592(0)


After I added a route :-

squid:~> ip route add 10.6.1.0/24 via 192.168.128.50

squid:~> tcpdump -ni br0 host 10.6.1.2 and port 80
tcpdump: WARNING: br0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 68 bytes
09:12:55.957274 IP 10.6.1.2.47574 > 192.168.128.20.80: S
3726051898:3726051898(0) win 5840 
09:12:55.957398 IP 66.249.89.147.80 > 10.6.1.2.47574: S
4058179260:4058179260(0) ack 3726051899 win 5792 
09:12:55.95 IP 10.6.1.2.47574 > 192.168.128.20.80: . ack 4058179261 win
92 


squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
09:12:55.962016 IP 10.6.1.2.43328 > 66.249.89.99.80: S
4071804540:4071804540(0) win 5840 
09:12:56.403123 IP 66.249.89.99.80 > 10.6.1.2.43328: S
3907206245:3907206245(0) ack 4071804541 win 8472 

squid:~> tcpdump -ni eth0 host 10.6.1.2 and port 80 tcpdump: WARNING: eth0:
no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full

Re: [squid-users] transparent tproxy: routing issue or my own problem ?

2007-07-08 Thread Ming-Ching Tiew


From: "Ming-Ching Tiew" <[EMAIL PROTECTED]>
>
> I am using squid in a Linux box setting up as a bridge, and have
> set up ebtables and iptables following the documentation
> available on the Net :-
>
> ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
>   --ip-destination-port 80 -j redirect --redirect-target ACCEPT
>
> iptables -t tproxy -A PREROUTING -i br0 -p tcp --dport 80 \
>   -j TPROXY --on-port 80
>
>
> On a brief glance it seems it's working properly but upon detail
> investigation,
> there are some issues.
> 
> I am looking for something more transparent. Any insight is much
> appreciated.


I think I fixed the issue by changing the ebtables rule to :-

ebtables -t broute -A BROUTING --logical-in br0 -p IPv4 --ip-protocol 6 \
   --ip-destination-port 80 -j redirect --redirect-target DROP

Note that subtle changes. With that I don't need to add routes and other
shits.
I would appreciate feedback from others to see if this is a better rule than
the original one.

Regards.

Re: [squid-users] transparent tproxy: routing issue or my own problem ?

2007-07-08 Thread Henrik Nordstrom

fre 2007-07-06 klockan 09:41 +0800 skrev Ming-Ching Tiew:

> However, if there is a subnet B, which is connected to subnet A, via
> a router R, then all the machines inside subnet B will have problem
> getting the http reply packets but http request packets have no
> problem going out.

Do your proxy have a return path route for subnet B?

> Then I added a route inside the Bridge/Squid S for the subnet B via
> router R, then the web request/reply problem is solved.

Ah, you didn't.. You need routing for all sessions you intercept, or the
proxy server won't know where to return traffic..

> It seems then to me that the http reply ( source port 80 ) has also be
> directed ***INTO*** the Bridge/Squid S. Why is that so ? Why didn't the
> Bridge/Squid forward the reply packet to the other side of the
> interface ?

I'd say that your ebtables rules is perhaps a bit too broad..

a packet matched by the ebtables redirect rule will be diverted from the
bridge into the TCP/IP stack to be routed, NAT:ed etc..

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] transparent tproxy: routing issue or my own problem ?

2007-07-09 Thread Ming-Ching Tiew

> I think I fixed the issue by changing the ebtables rule to :-
>
> ebtables -t broute -A BROUTING --logical-in br0 -p IPv4 --ip-protocol 6 \
>--ip-destination-port 80 -j redirect --redirect-target DROP
>
> Note that subtle changes. With that I don't need to add routes and other
> shits.
> I would appreciate feedback from others to see if this is a better rule
than
> the original one.
>

Sorry false alarm. The new rule bypasses all traffic from squid, that's why
it is working. Back to square ones. Need to work harder on it.

:-(

Re: [squid-users] transparent tproxy: routing issue or my own problem ?

2007-07-09 Thread Henrik Nordstrom

fre 2007-07-06 klockan 11:07 +0800 skrev Ming-Ching Tiew:

> I think I fixed the issue by changing the ebtables rule to :-
> 
> ebtables -t broute -A BROUTING --logical-in br0 -p IPv4 --ip-protocol 6 \
>--ip-destination-port 80 -j redirect --redirect-target DROP

Should be

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
-i eth0 --ip-source your.lan.network/mask \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT

with eth0 being the interface connected to your LAN, and
your.lan.network/mask the IP network used on your LAN.

Do NOT redirects networks for which you do not have routing configured,
doing so will not work.

If you are to use TPROXY then I'd recommend using the bridge-netfilter
integration instead of ebtables. This because TPROXY needs to intercept
the return traffic as well, not just lan->internet traffic. It's
possible to add ebtables rules for this by doing rules inverse to the
above.

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination your.lan.network/mask \
--ip-source-port 80 -j redirect --redirect-target ACCEPT


Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] transparent tproxy: routing issue or my own problem ?

Re: [squid-users] transparent tproxy: routing issue or my own problem ?

Re: [squid-users] transparent tproxy: routing issue or my own problem ?

Re: [squid-users] transparent tproxy: routing issue or my own problem ?

Re: [squid-users] transparent tproxy: routing issue or my own problem ?

5 matches

Site Navigation

Mail list logo

Footer information