[squid-users] Blocking Chrome and QUIC
Luis Miguel Silva
luismiguelferreirasilva at gmail.com
Fri Feb 6 21:54:54 UTC 2015
Dear all,
This isn't entirely a squid question but more like a "transparent proxying"
question (which I'm hoping you guys will be able to help me with)...
As I started playing around with transparent ssl proxying, I learned that
Chrome uses an alternate communication (UDP based) protocol called QUIC.
When the browser uses that protocol, Squid obviously isn't used as a proxy,
so I'm trying to block QUIC traffic to force the browsers to fall back to
HTTP/HTTPS.
At first, I found out that QUIC communicates over UDP 443 but, since
blocking traffic from going out on that port didn't seem to work, I decided
to use TCPView
<https://technet.microsoft.com/en-us/sysinternals/bb897437.aspx> (on the
client computer) and look at tcpdump to try and figure out what other ports
does it use...
After looking at TCPView, I was able to see traffic going out on:
tcp 80
tcp 443
tcp 5228
udp 80
udp 443
udp 5353
...so I tried to block traffic going out on those ports:
root at appliance:~# cat /etc/iptables/rules.v4 | grep -i forward
:FORWARD DROP [41:4010]
-A FORWARD -i br0 -p tcp -m tcp --dport 5228 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -i br0 -p udp -m udp --dport 5353 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -i br0 -p udp -m udp --dport 80 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -i br0 -p udp -m udp --dport 443 -j REJECT --reject-with
icmp-port-unreachable
root at appliance:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:5228
reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:mdns
reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:http
reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:https
reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root at appliance:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 6182 packets, 2536K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 1343 packets, 160K bytes)
pkts bytes target prot opt in out source
destination
18 912 REJECT tcp -- br0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5228 reject-with icmp-port-unreachable
100 30714 REJECT udp -- br0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:5353 reject-with icmp-port-unreachable
0 0 REJECT udp -- br0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:80 reject-with icmp-port-unreachable
73 87052 REJECT udp -- br0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:443 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 6913 packets, 2386K bytes)
pkts bytes target prot opt in out source
destination
root at appliance:~#
The problem is that, although the rules seem to successfully be triggered,
the only way I can successfully BLOCK QUIC traffic and make the browser
fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP:
*iptables -P FORWARD DROP*
What I conclude from this is that there MUST be some more FORWARD traffic
being originated at Chrome that I have no idea how to catch and filter.
So my question is: *how can I completely block QUIC so I can guarantee my
traffic will always be redirected to Squid?*
Thanks in advance,
Luis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150206/3c6d436a/attachment-0001.html>
More information about the squid-users
mailing list