[squid-users] Client IP spoofing via squid proxy

Ambadas Hibare ambadasvh at teledna.com
Thu May 7 04:59:16 UTC 2015 

Hi,

Thanks for replying.

I did a full transparent tproxy setup for squid proxy on linux(RHEL 6) machine as below:

Version: squid-3.5.1
configure options:  '--enable-follow-x-forwarded-for' '--enable-linux-netfilter' --enable-ltdl-convenience

squid.conf:
http_port 3128
http_port 3129 tproxy

Linux Kernel Configuration:
NF_CONNTRACK=m
NETFILTER_TPROXY=m
NETFILTER_XT_MATCH_SOCKET=m
NETFILTER_XT_TARGET_TPROXY=m

Routing configuration:
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev eth1 table 100 ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local default dev eth1 table 100

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

iptables Configuration:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

The below machines are on local LAN setup Client IP: 172.16.5.110 Client's gateway: 10.0.0.102 DNS Server IP: 172.16.1.7 (same for both client & squid machine) Web server IP: 216.58.196.110 (google.com)

Squid Machine has 2 eth interfaces,
eth1 (facing client): 10.0.0.102
eth0 (connecting to web): 172.16.5.102 

While browsing, the client is getting connection timeout. After analyzing the squid side traces, i found that client is doing DNS (for google.com) & connecting to that DNS IP on 80 port. Squid is able to intercept the request on 3129 port, doing DNS and trying to connect to google.com (using spoofed client IP) but is getting RST packet.
Can you you please tell me what is missing here?

Please find the attached trace.


Regards,
Ambadas


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: 05 May 2015 20:30
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Client IP spoofing via squid proxy

On 6/05/2015 2:25 a.m., Ambadas Hibare wrote:
> Hi,
> 
> I trying to spoof client IP via squid proxy by following  squid's
> TPROXY4 wiki page: http://wiki.squid-cache.org/Features/Tproxy4
> 
> But I want to know whether squid can spoof client IP when we send 
> proxy format HTTP request from Mozilla (ie configuring proxy & port in 
> mozilla). Can squid proxy behave transparently towards only the web 
> server & not the client?

No. It can be both ways, or just towards the client.


> 
> I've tried sending proxy format HTTP request from client to squid box 
> (on 3129  tproxy port), but I am getting Header forgery error Also its 
> trying to connect to itself instead of web server. I am trying to 
> understand why squid is trying to match host header's DNS with the 
> destination IP instead of connecting to host header's DNS (like normal 
> proxy behaviour on port 3128).
> 

To prevent CVE-2009-0801 happening.

You must not send regular forward-proxy traffic to a tproxy or intercept port. Forwarding loops are guaranteed if you do.

Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Squid102_20150505.pcap
Type: application/octet-stream
Size: 19394 bytes
Desc: Squid102_20150505.pcap
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150507/187a6057/attachment-0001.obj>

More information about the squid-users mailing list