[squid-users] (no subject)

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 23 11:06:14 UTC 2019


On 23/10/19 1:23 am, Vieri Di Paola wrote:
> On Tue, Oct 22, 2019 at 1:48 PM Amos Jeffries wrote:
>>
>> I do not see any DIVERT rule at all in your firewall config dump. That
>> is at least part of the problem.
> 
> I opened the previous dump and saw the divert rules here below:
> 
> Chain PREROUTING (policy ACCEPT 573K packets, 462M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>  573K  462M CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            CONNMARK restore mask 0xff
>  1213  181K routemark  all  --  ppp1   *       0.0.0.0/0
> 0.0.0.0/0            mark match 0x0/0xff
>  3195  308K routemark  all  --  ppp2   *       0.0.0.0/0
> 0.0.0.0/0            mark match 0x0/0xff
>  1320 79360 routemark  all  --  ppp3   *       0.0.0.0/0
> 0.0.0.0/0            mark match 0x0/0xff
>  311K  277M tcpre      all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            mark match 0x0/0xff
>     0     0 divert     tcp  --  ppp1   *       0.0.0.0/0
> 10.215.144.48       [goto]  tcp spt:80 flags:!0x17/0x02 socket
> --transparent
>     0     0 divert     tcp  --  ppp2   *       0.0.0.0/0
> 10.215.144.48       [goto]  tcp spt:80 flags:!0x17/0x02 socket
> --transparent
>     0     0 divert     tcp  --  ppp3   *       0.0.0.0/0
> 10.215.144.48       [goto]  tcp spt:80 flags:!0x17/0x02 socket
> --transparent
>    76  7484 TPROXY     tcp  --  enp10s0 *       10.215.144.48
> 0.0.0.0/0            tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
> 0x200/0x200
>     0     0 divert     tcp  --  ppp1   *       0.0.0.0/0
> 10.215.144.48       [goto]  tcp spt:443 flags:!0x17/0x02 socket
> --transparent
>     0     0 divert     tcp  --  ppp2   *       0.0.0.0/0
> 10.215.144.48       [goto]  tcp spt:443 flags:!0x17/0x02 socket
> --transparent
>     0     0 divert     tcp  --  ppp3   *       0.0.0.0/0
> 10.215.144.48       [goto]  tcp spt:443 flags:!0x17/0x02 socket
> --transparent
>    10  1060 TPROXY     tcp  --  enp10s0 *       10.215.144.48
> 0.0.0.0/0            tcp dpt:443 TPROXY redirect 0.0.0.0:3130 mark
> 0x200/0x200
> 
> Aren't these the DIVERT rules you are referring to?
> 


Oh, case sensitivity. I was grep'ing for the upper case chain name.

So you have a 'divert' chain.

First problem with these rules is they depend on an IP address. IP is
the one detail guaranteed not to match properly when TPROXY spoofing is
going on.

Second problem is that they also depend on a source port number of 80 or
443. The traffic needing to be marked comes from both directions, so
this will break half the traffic flow.


Third is that you are using the --transparent option. If I am
understanding it correctly, that will cause the connections out of Squid
(which are marked as transparent) to skip divert action and hit the
TPROXY intercept all over again - infinite loop.

Amos


More information about the squid-users mailing list