[squid-users] (no subject)
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 23 11:06:14 UTC 2019
On 23/10/19 1:23 am, Vieri Di Paola wrote:
> On Tue, Oct 22, 2019 at 1:48 PM Amos Jeffries wrote:
>>
>> I do not see any DIVERT rule at all in your firewall config dump. That
>> is at least part of the problem.
>
> I opened the previous dump and saw the divert rules here below:
>
> Chain PREROUTING (policy ACCEPT 573K packets, 462M bytes)
> pkts bytes target prot opt in out source
> destination
> 573K 462M CONNMARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 CONNMARK restore mask 0xff
> 1213 181K routemark all -- ppp1 * 0.0.0.0/0
> 0.0.0.0/0 mark match 0x0/0xff
> 3195 308K routemark all -- ppp2 * 0.0.0.0/0
> 0.0.0.0/0 mark match 0x0/0xff
> 1320 79360 routemark all -- ppp3 * 0.0.0.0/0
> 0.0.0.0/0 mark match 0x0/0xff
> 311K 277M tcpre all -- * * 0.0.0.0/0
> 0.0.0.0/0 mark match 0x0/0xff
> 0 0 divert tcp -- ppp1 * 0.0.0.0/0
> 10.215.144.48 [goto] tcp spt:80 flags:!0x17/0x02 socket
> --transparent
> 0 0 divert tcp -- ppp2 * 0.0.0.0/0
> 10.215.144.48 [goto] tcp spt:80 flags:!0x17/0x02 socket
> --transparent
> 0 0 divert tcp -- ppp3 * 0.0.0.0/0
> 10.215.144.48 [goto] tcp spt:80 flags:!0x17/0x02 socket
> --transparent
> 76 7484 TPROXY tcp -- enp10s0 * 10.215.144.48
> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
> 0x200/0x200
> 0 0 divert tcp -- ppp1 * 0.0.0.0/0
> 10.215.144.48 [goto] tcp spt:443 flags:!0x17/0x02 socket
> --transparent
> 0 0 divert tcp -- ppp2 * 0.0.0.0/0
> 10.215.144.48 [goto] tcp spt:443 flags:!0x17/0x02 socket
> --transparent
> 0 0 divert tcp -- ppp3 * 0.0.0.0/0
> 10.215.144.48 [goto] tcp spt:443 flags:!0x17/0x02 socket
> --transparent
> 10 1060 TPROXY tcp -- enp10s0 * 10.215.144.48
> 0.0.0.0/0 tcp dpt:443 TPROXY redirect 0.0.0.0:3130 mark
> 0x200/0x200
>
> Aren't these the DIVERT rules you are referring to?
>
Oh, case sensitivity. I was grep'ing for the upper case chain name.
So you have a 'divert' chain.
First problem with these rules is they depend on an IP address. IP is
the one detail guaranteed not to match properly when TPROXY spoofing is
going on.
Second problem is that they also depend on a source port number of 80 or
443. The traffic needing to be marked comes from both directions, so
this will break half the traffic flow.
Third is that you are using the --transparent option. If I am
understanding it correctly, that will cause the connections out of Squid
(which are marked as transparent) to skip divert action and hit the
TPROXY intercept all over again - infinite loop.
Amos
More information about the squid-users
mailing list