[squid-users] Client IP spoofing via squid proxy

Ambadas Hibare ambadasvh at teledna.com
Fri May 8 13:56:35 UTC 2015 

Hi Amos,

It's happening as you said:

the packets doing this:
 client -----> Squid -SYN-> server
 client <-------------ACK-- server
 client -RST-> Squid 

There's a firewall in between squid & web server which is directly sending SYN-ACK to client instead of squid.

But in my requirement, the clients are configured with IP & Port. Is there any possible way/approach by which I can make client IP hide towards web server?

Any help appreciated


Regards,
Ambadas


-----Original Message-----
From: Amos Jeffries [mailto:squid3 at treenet.co.nz] 
Sent: 07 May 2015 18:08
To: Ambadas Hibare; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Client IP spoofing via squid proxy

On 7/05/2015 6:09 p.m., Ambadas Hibare wrote:
> HI,
> 
> Client IP: 172.16.5.110
> Client Mac: 00:23:7D:E8:AC:C4
> 
> Squid Box:
> 
> eth0 IP: 172.16.5.102
> eth0 Mac: 18:A9:05:3C:12:E4
> 
> eth1 IP: 10.0.0.102
> eth1 Mac: 18:A9:05:3C:12:E6
> 
>> "Your "ip route" rules use eth1, but your rp_filter settings only change eth0. Also your iptables rules do not distinguish by ethN."
> 
> Yes. Should that setting be applied on both eths' or only the one facing the client?

The one facing the *server* at minimum. Doing it on both wont hurt for experimenting. But when this is working try setting the client-facing NIC off again.


> Also want to know if it's possible to do tproxy setup with just one eth at squid box?

Of course. You just have to configure the packet routing explicitly on the router the Squid box is connected to as well as the Squid box itself. To prevent server responses (SYN ACK etc) being sent to the client when they should go to Squid.

> 

>> "Your trace shows the MAC address *:c4 contacting Squid (MAC address
*:e4) and delivering an HTTP request. Squid (*:e4) then contacts the remote server be sending > a TCP SYN packet ... which the MAC address
*:c4 rejects."
> 
> In trace it shows squid (*:e4) (packet# 83) is contacting the web
server (google.com) via client IP (172.16.5.110). So it's getting spoofed!? But not able to understand why client is sending RST to google (packet# 84) just after that & response


Because one of the SYN (from Squid) or SYN-ACK packet (reply from
server) is arriving at the client when it should have been delivered elsewhere.


the packets doing this:
 client -----> Squid -SYN-> server
 client <-------------ACK-- server
 client -RST-> Squid

or this:
 client -----> Squid -SYN-\
 client <-----------------/
 client -RST-> Squid


> PS. The default gateway for client is squid box IP (eth1). 

The part routing traffic from client<->Squid is working. The part Squid<->server is going wrong.

Amos

More information about the squid-users mailing list