[squid-users] Skype for Business behind a transparent squid (TProxy) HTTP/S

Sameh Onaissi sameh.onaissi at solcv.com
Tue Dec 6 17:29:10 UTC 2016 

Hello,

OK, I added the ssl_bump slice on the skype domains text file
I installed ipset and ran the script.

Now access.log has much less skype related logs:

What is left is:
1481044996.398   3412 10.0.0.11 TAG_NONE/200 0 CONNECT 132.245.1.32:443 - ORIGINAL_DST/132.245.1.32 -
1481044996.423      0 10.0.0.11 TAG_NONE/400 3998 REGISTER sip:solcv.comSIP/2.0 - HIER_NONE/- text/html
1481045000.296    372 10.0.0.11 TAG_NONE/200 0 CONNECT 134.170.113.207:443 - ORIGINAL_DST/134.170.113.207 -
1481045000.325      0 10.0.0.11 TAG_NONE/400 3998 REGISTER sip:solcv.comSIP/2.0 - HIER_NONE/- text/html
1481045008.685   4259 10.0.0.11 TAG_NONE/200 0 CONNECT 134.170.113.207:443 - ORIGINAL_DST/134.170.113.207 -
1481045008.726      0 10.0.0.11 TAG_NONE/400 3998 REGISTER sip:solcv.comSIP/2.0 - HIER_NONE/- text/html


although solve.com<http://solve.com> is in the text file.

I ran whois on the first IP and got:

NetRange:       132.245.0.0 - 132.245.255.255
CIDR:           132.245.0.0/16
NetName:        MICROSOFT


Same with the 134.170. address. Can we slice that range?



[cid:DA9A1E3F-3876-4EF2-BBA2-D3942A06ACE1 at routerb408e2.com]

Sameh Onaissi
Ingeniero de Soporte
Sol Cable Visión
Cel: 316-3023424
Email: sameh.onaissi at solcv.com<mailto:sameh.onaissi at solcv.com>



[cid:2FD1C3AB-E45C-49F0-84AB-0F8AC658BD11 at routerb408e2.com]Piensa en el medio ambiente antes de imprimir este email.

On Dec 6, 2016, at 12:11 PM, Eliezer Croitoru <eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>> wrote:

Hey,

Depends on your OS you will need to installthe  ipset package.
Try to run “apt-get install ipset”.
And then run the script.

Eliezer

----
Eliezer Croitoru<http://ngtech.co.il/lmgtfy/>
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>
<Untitled Attachment 1.jpg>

From: Sameh Onaissi [mailto:sameh.onaissi at solcv.com]
Sent: Tuesday, December 6, 2016 5:23 PM
To: Amos Jeffries <squid3 at treenet.co.nz<mailto:squid3 at treenet.co.nz>>
Cc: Eliezer Croitoru <eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>>
Subject: Re: [squid-users] Skype for Business behind a transparent squid (TProxy) HTTP/S

Amos, thanks for the reply.


This is getting more confusing.

I changed the script to: http://pastebin.com/jLgywstg

And I ran it, but I am getting errors:

sudo sh bypass.sh<http://bypass.sh/> + iptables -t mangle -L PREROUTING + grep bypasspool + [ 1 -ne 0 ] + iptables -t mangle -I PREROUTING -m set --match-set bypasspool dst,src -j DIVERT iptables v1.6.0:<http://v1.6.0/> Set bypasspool doesn't exist. Try `iptables -h' or 'iptables --help' for more information. + ipset create bypasspool hash:ip bypass.sh:<http://bypass.sh/> 10: bypass.sh:<http://bypass.sh/> ipset: not found + read item + echolyncdiscover.solcv.com<http://lyncdiscover.solcv.com/> lyncdiscover.solcv.com<http://lyncdiscover.solcv.com/> + host -4 lyncdiscover.solcv.com<http://lyncdiscover.solcv.com/> + grep has address + awk {print $4} + xargs -l1 ipset add bypasspool xargs: ipset: No such file or directory + read item + echo webdir0a.online.lync.com<http://webdir0a.online.lync.com/>webdir0a.online.lync.com<http://webdir0a.online.lync.com/> + host -4 webdir0a.online.lync.com<http://webdir0a.online.lync.com/> + grep has address + awk {print $4} + xargs -l1 ipset add bypasspool xargs: ipset: No such file or directory

… this goes on the same for all the domains in the text file

My iptables is still <http://pastebin.com/SqpbmYQQ>

I did not quite understand what you meant by
You should test whether -m set or -m socket work faster and put that one
first. My change above places it at line 2 (after -m socket) assuming
your iptables script is still <http://pastebin.com/SqpbmYQQ>

should I incorporate the bypass script into my iptables.sh script? run iptables first then bypass?



On a side note, would adding ssl_bump exceptions to squid.conf do it?
Something like:

acl skype_domains <path to file>
ssl_bump splice skype_domains
ssl_bump bump all



Again, thanks again for your help.



<Untitled Attachment 2.jpg> Piensa en el medio ambiente antes de imprimir este email.

On Dec 6, 2016, at 9:50 AM, Amos Jeffries <squid3 at treenet.co.nz<mailto:squid3 at treenet.co.nz>> wrote:

On 7/12/2016 3:19 a.m., Sameh Onaissi wrote:
Hello,

I tried doing the changes to nat/REDIRECT in iptables.sh and I must have messed up somewhere, so I am sticking with mangle/tproxy for now since squid is working with them.

How can I change Eliezer’s script to mangle/tproxy? https://gist.github.com/elico/e0faadf0cc63942c5aaade808a87deef

Excuse my novice knowledge in iptables.

No worries.

You need to change where iptables attaches the 'bypasspool'. Both the
table/location (-t) and the jump/action (-j).

 iptables -t mangle -L PREROUTING |grep bypasspool
 if [ "$?" -ne "0" ];then

   iptables -t mangle -I 2 PREROUTING \
     -m set --match-set bypasspool dst,src \
     -j DIVERT

 fi

You should test whether -m set or -m socket work faster and put that one
first. My change above places it at line 2 (after -m socket) assuming
your iptables script is still <http://pastebin.com/SqpbmYQQ>

(Your script should do that line adding, not Eliezers - so that you can
be sure the order is always correct).


BTW: you should use iptables-save / iptables-restore instead of a slow
script calling iptables "manually". Those other tools will ensure there
are no gaps in the firewall initialization for nasty traffic to sneak
through.


I am looking at access.log to collect all domains I see heading to skype for business, as well as IPs. My question is, can I add the domains AND IPs into the domains-to-bypass.txt that the above script uses?

IIRC you should be able to use domain as the parameter to ipset. But it
will resolve the domain immediately and only add those IPs that it finds
at that time into the pool. Any future changes, or a hidden set of IPs
that rotate in/out will not be listed.

Amos



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161206/0f24624c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 58.png
Type: image/png
Size: 7419 bytes
Desc: 58.png
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161206/0f24624c/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Image 5-5-16 at 11.48 AM.jpg
Type: image/jpeg
Size: 4083 bytes
Desc: Image 5-5-16 at 11.48 AM.jpg
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161206/0f24624c/attachment-0001.jpg>

More information about the squid-users mailing list