[squid-users] Client IP spoofing via squid proxy

[Amos Jeffries]

On 7/05/2015 6:09 p.m., Ambadas Hibare wrote:
> HI,
> 
> Client IP: 172.16.5.110
> Client Mac: 00:23:7D:E8:AC:C4
> 
> Squid Box:
> 
> eth0 IP: 172.16.5.102
> eth0 Mac: 18:A9:05:3C:12:E4
> 
> eth1 IP: 10.0.0.102
> eth1 Mac: 18:A9:05:3C:12:E6
> 
>> "Your "ip route" rules use eth1, but your rp_filter settings only change eth0. Also your iptables rules do not distinguish by ethN."
> 
> Yes. Should that setting be applied on both eths' or only the one facing the client?

The one facing the *server* at minimum. Doing it on both wont hurt for
experimenting. But when this is working try setting the client-facing
NIC off again.


> Also want to know if it's possible to do tproxy setup with just one eth at squid box?

Of course. You just have to configure the packet routing explicitly on
the router the Squid box is connected to as well as the Squid box
itself. To prevent server responses (SYN ACK etc) being sent to the
client when they should go to Squid.

> 

>> "Your trace shows the MAC address *:c4 contacting Squid (MAC
>> address
*:e4) and delivering an HTTP request. Squid (*:e4) then contacts the
remote server be sending > a TCP SYN packet ... which the MAC address
*:c4 rejects."
> 
> In trace it shows squid (*:e4) (packet# 83) is contacting the web
server (google.com) via client IP (172.16.5.110). So it's getting
spoofed!? But not able to understand why client is sending RST to google
(packet# 84) just after that & response


Because one of the SYN (from Squid) or SYN-ACK packet (reply from
server) is arriving at the client when it should have been delivered
elsewhere.


the packets doing this:
 client -----> Squid -SYN-> server
 client <-------------ACK-- server
 client -RST-> Squid

or this:
 client -----> Squid -SYN-\
 client <-----------------/
 client -RST-> Squid


> PS. The default gateway for client is squid box IP (eth1). 

The part routing traffic from client<->Squid is working. The part
Squid<->server is going wrong.

Amos