Hi Amos, It's happening as you said:
the packets doing this: client -----> Squid -SYN-> server client <-------------ACK-- server client -RST-> Squid There's a firewall in between squid & web server which is directly sending SYN-ACK to client instead of squid. But in my requirement, the clients are configured with IP & Port. Is there any possible way/approach by which I can make client IP hide towards web server? Any help appreciated Regards, Ambadas -----Original Message----- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 07 May 2015 18:08 To: Ambadas Hibare; squid-users@lists.squid-cache.org Subject: Re: [squid-users] Client IP spoofing via squid proxy On 7/05/2015 6:09 p.m., Ambadas Hibare wrote: > HI, > > Client IP: 172.16.5.110 > Client Mac: 00:23:7D:E8:AC:C4 > > Squid Box: > > eth0 IP: 172.16.5.102 > eth0 Mac: 18:A9:05:3C:12:E4 > > eth1 IP: 10.0.0.102 > eth1 Mac: 18:A9:05:3C:12:E6 > >> "Your "ip route" rules use eth1, but your rp_filter settings only change >> eth0. Also your iptables rules do not distinguish by ethN." > > Yes. Should that setting be applied on both eths' or only the one facing the > client? The one facing the *server* at minimum. Doing it on both wont hurt for experimenting. But when this is working try setting the client-facing NIC off again. > Also want to know if it's possible to do tproxy setup with just one eth at > squid box? Of course. You just have to configure the packet routing explicitly on the router the Squid box is connected to as well as the Squid box itself. To prevent server responses (SYN ACK etc) being sent to the client when they should go to Squid. > >> "Your trace shows the MAC address *:c4 contacting Squid (MAC address *:e4) and delivering an HTTP request. Squid (*:e4) then contacts the remote server be sending > a TCP SYN packet ... which the MAC address *:c4 rejects." > > In trace it shows squid (*:e4) (packet# 83) is contacting the web server (google.com) via client IP (172.16.5.110). So it's getting spoofed!? But not able to understand why client is sending RST to google (packet# 84) just after that & response Because one of the SYN (from Squid) or SYN-ACK packet (reply from server) is arriving at the client when it should have been delivered elsewhere. the packets doing this: client -----> Squid -SYN-> server client <-------------ACK-- server client -RST-> Squid or this: client -----> Squid -SYN-\ client <-----------------/ client -RST-> Squid > PS. The default gateway for client is squid box IP (eth1). The part routing traffic from client<->Squid is working. The part Squid<->server is going wrong. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
