[squid-users] Mikrotik and Squid Transparent

Amos Jeffries squid3 at treenet.co.nz
Sat Jun 27 06:33:03 UTC 2015


On 27/06/2015 10:02 a.m., Alex Samad wrote:
> Hi
> 
> Sorry missing something here.
> 
> I thought this was a mikrotek rtr , presumably acting as a default
> gateway for the local lan to the internet.
> it has a DNAT rule to capture all internet traffic that is port 80
> (and presumably at some point in time port 443) and it DNATS it to the
> SQUID box.
> 
> and there needs to be a special rule on the DGW to allow squid access
> out to the internet with out resending it back to the squid and
> creating a loop.
> 
> from memory thats how I used to do this. unless the DGW is large
> enough to run squid, then DNAT to the local box and onto squid.

Yes, a lot of people used to do it that way. The problem was
CVE-2009-0801 vulnerability allowed attackers script to send any request
to Squid claiming an arbitrary server Host: header and get that content
both delivered back as if it was to some other domain the client thought
it was connecting to and injected into Squid cache for other clients to
be affected by in the same way.

That is no longer permitted since Squid-3.2. The DNAT can only happen
once, and that must be on the Squid machine so Squid can lookup the NAT
tables and unmangle the original dst-IP.

You need to use routing rules on the Mikrotik (or tunnel sometimes works
too) to deliver the original client generated packet to the Squid
machine without NAT changing the dst-IP:port details (SNAT is fine, but
will cause lies about client IP in the access.log).

> 
> Why would there be a DoS for SQUID on another box, the only resources
> I can think of is the NAT table, maybe conntrack

Like I said earlier "The dst-IP:port on the TCP packets entering the
Squid machine is where Squid will send the outgoing server requests."

If you block forwarding loops the outbound requests from Squid get an
error page *always* because the outboudn traffic is going from Squid to
be served by Squid (forwarding loop).

If you disable the Via header forwarding loop protection Squid will just
loop until all TCP port numbers on the machine are consumed sending new
"outbound" connections that loop back Squid. Then no network connections
will be available to Squid or any other software. The RAM associated
with each connection may also be too much and cause the OS to
force-shutdown Squid.

So you get to pick between a DoS or a very nasty DoS.

Amos


More information about the squid-users mailing list