[squid-users] Blocking Chrome and QUIC

Luis Miguel Silva luismiguelferreirasilva at gmail.com
Fri Feb 6 21:54:54 UTC 2015 

Dear all,

This isn't entirely a squid question but more like a "transparent proxying"
question (which I'm hoping you guys will be able to help me with)...

As I started playing around with transparent ssl proxying, I learned that
Chrome uses an alternate communication (UDP based) protocol called QUIC.

When the browser uses that protocol, Squid obviously isn't used as a proxy,
so I'm trying to block QUIC traffic to force the browsers to fall back to
HTTP/HTTPS.

At first, I found out that QUIC communicates over UDP 443 but, since
blocking traffic from going out on that port didn't seem to work, I decided
to use TCPView
<https://technet.microsoft.com/en-us/sysinternals/bb897437.aspx> (on the
client computer) and look at tcpdump to try and figure out what other ports
does it use...

After looking at TCPView, I was able to see traffic going out on:
tcp 80
tcp 443
tcp 5228
udp 80
udp 443
udp 5353

...so I tried to block traffic going out on those ports:
root at appliance:~# cat /etc/iptables/rules.v4 | grep -i forward
:FORWARD DROP [41:4010]
-A FORWARD -i br0 -p tcp -m tcp --dport 5228 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -i br0 -p udp -m udp --dport 5353 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -i br0 -p udp -m udp --dport 80 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -i br0 -p udp -m udp --dport 443 -j REJECT --reject-with
icmp-port-unreachable
root at appliance:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             tcp dpt:5228
reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere             udp dpt:mdns
reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere             udp dpt:http
reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere             udp dpt:https
reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root at appliance:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 6182 packets, 2536K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 1343 packets, 160K bytes)
 pkts bytes target     prot opt in     out     source
destination
   18   912 REJECT     tcp  --  br0    *       0.0.0.0/0
0.0.0.0/0            tcp dpt:5228 reject-with icmp-port-unreachable
  100 30714 REJECT     udp  --  br0    *       0.0.0.0/0
0.0.0.0/0            udp dpt:5353 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  br0    *       0.0.0.0/0
0.0.0.0/0            udp dpt:80 reject-with icmp-port-unreachable
   73 87052 REJECT     udp  --  br0    *       0.0.0.0/0
0.0.0.0/0            udp dpt:443 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 6913 packets, 2386K bytes)
 pkts bytes target     prot opt in     out     source
destination
root at appliance:~#

The problem is that, although the rules seem to successfully be triggered,
the only way I can successfully BLOCK QUIC traffic and make the browser
fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP:
*iptables -P FORWARD DROP*

What I conclude from this is that there MUST be some more FORWARD traffic
being originated at Chrome that I have no idea how to catch and filter.

So my question is: *how can I completely block QUIC so I can guarantee my
traffic will always be redirected to Squid?*

Thanks in advance,
Luis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150206/3c6d436a/attachment-0001.html>

More information about the squid-users mailing list