[squid-users] SSL Bump Issue

Amos Jeffries squid3 at treenet.co.nz
Mon Mar 7 02:57:48 UTC 2016


On 7/03/2016 2:50 p.m., Ali Jawad wrote:
> Hi
> Pardon me if I am mistaken but isnt it the case that 1 :
> 
> iptables -t nat -A PREROUTING -p tcp  --dport 443 --destination
> 162.220.xx.xx -j REDIRECT --to-ports 3129
> The rule above would only match for the IP of squid and squid should be
> heading to the actual IP of the site in question which is not on the same
> server

Squid itself is *never* a valid destination IP on intercepted traffic.
The purpose of the REDIRECT/DNAT is to make it a destination when it did
not start that way.

If you meant to write " ! --destination", you would be correct. However
the difficulty you already had in using the '!' correctly is a good
reason why we dont demo that way. Its just plain difficult for beginners
to understand whats going on (and some experts even).

Also, the ! mechanism does not cope well with multiple IPs on the Squid
machine. In the modern Internet every machine in existence always has a
minimum of between 3 and 6 IPs, maybe more if the admin active assigns
multiple global IPs. They all need to be excluded for the protection to
be fully effective.


> 
> and 2 :
> 
> If Squid is intercepting the PREROUTING chain would not apply anymore, as
> traffic passing through local daemons goes through OUTPUT and POSTROUTING
> chains

If the packets stayed within the Squid machine that would be right.
However outgoing packets with Squid IP as the destination can reach the
switch to which Squid is plugged in and "bounce" right back in through
all the normal PREROUTING logics. Infinite loop and very much pain
trying to figure out what is going on.

> 
> As for
> 
> iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
> 

Both the -s parameter here and the mangle table rule are pre-emptively
truncating the NAT loop so that the packets end up being routed normally
instead of diverted into that Squid intercept port. They also
simultaneously prevent external attacks on the NAT system (and Squid)
from remote clients.

As mentioned above the --destination way(s) of doing things both does
not scale to all the IPs on the current machine, and is far less easy
for beginners to understand. So it is a multiple-win situation to do it
the way we demo.

> 
> All traffic set to ACCEPT ..thanks !


Not all traffic hopefully. Just the stuff outgoing / generated by Squid
itself :-P

Amos



More information about the squid-users mailing list