Re: [squid-users] real client ip address instead of squid Ip address

From: Saleh Madi <saleh.madi_at_hadara.ps>
Date: Wed, 21 Sep 2011 15:42:04 +0300 (IDT)

Hi,

Squid not spoofing the client IP, with following http_port line in squid :
http_port 3129 tproxy everything seems to be working and squid run with
these messages in cache.log

2011/09/21 14:36:15 kid1| Accepting TPROXY spoofing HTTP Socket
connections at local=[::]:3129 remote=[::] FD 17 flags
=25

my requests seems to be redirected to port 3129 as I expected and the
pages are loading propertly. But the problem is that when I go to site
http://www.whatismyip.com/ it gives me the cache ip address instead of my
own client ip address. here is the cache log output for one of my requests
:

2011/09/21 14:38:00.720 kid1| Intercept.cc(343) Lookup: address BEGIN:
me/client= 67.202.66.200:80, destination/me= 192.168.88.100:51084
2011/09/21 14:38:00.720 kid1| Intercept.cc(149) NetfilterTransparent:
address TPROXY: local=67.202.66.200:80 remote=192.168.88.100 FD 47
flags=17
2011/09/21 14:39:23.398 kid1| Intercept.cc(343) Lookup: address BEGIN:
me/client= 209.85.147.113:80, destination/me= 192.168.88.100:48968
2011/09/21 14:39:23.398 kid1| Intercept.cc(149) NetfilterTransparent:
address TPROXY: local=209.85.147.113:80 remote=192.168.88.100 FD 14
flags=17
2011/09/21 14:39:23.984 kid1| Intercept.cc(343) Lookup: address BEGIN:
me/client= 209.85.169.102:80, destination/me= 192.168.88.100:45534
2011/09/21 14:39:23.984 kid1| Intercept.cc(149) NetfilterTransparent:
address TPROXY: local=209.85.169.102:80 remote=192.168.88.100 FD 20
flags=17
2011/09/21 14:39:33.521 kid1| Intercept.cc(343) Lookup: address BEGIN:
me/client= 91.209.196.169:80, destination/me= 192.168.88.100:43728
2011/09/21 14:39:33.521 kid1| Intercept.cc(149) NetfilterTransparent:
address TPROXY: local=91.209.196.169:80 remote=192.168.88.100 FD 24
flags=17
2011/09/21 14:39:34.238 kid1| Intercept.cc(343) Lookup: address BEGIN:
me/client= 217.118.27.135:80, destination/me= 192.168.88.100:35387
2011/09/21 14:39:34.238 kid1| Intercept.cc(149) NetfilterTransparent:
address TPROXY: local=217.118.27.135:80 remote=192.168.88.100 FD 26
flags=17

This means that the client ip spoofing is not working with tproxy4. Can
any guide me ?

Thanks and Best Regards,
Saleh

> Hi,
>
> Any suggestions about this problem.
>
> Thanks and Best Regards,
> Saleh
>
>> Dears,
>>
>> I have setup a transparent proxy with the TPROXY feature and WCCP.
>>
>> Below is my squid configuration
>>
>> http_port SQUIDIP:3129 tproxy disable-pmtu-discovery=always
>>
>> wccp2_router ROUTERIP
>> wccp_version 2
>> wccp2_forwarding_method 2
>> wccp2_return_method 2
>> wccp2_assignment_method mask
>> wccp2_service dynamic 87
>> wccp2_service_info 87 protocol=tcp flags=src_ip_hash priority=240
>> ports=80
>> wccp2_service dynamic 97
>> wccp2_service_info 97 protocol=tcp flags=dst_ip_hash,ports_source
>> priority=240 ports=80
>>
>>
>> iptables -t mangle -F
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>>
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A PREROUTING -i eth0 -p tcp ! -s SQUIDIP --dport 80
>> -j
>> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>>
>> ip rule add fwmark 1 lookup 100
>> ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
>>
>> Squid Version: 3.2.0.12 compiled with libcap2
>> Kernel : 2.6.37-1
>>
>> It works with out any problem but in whatismyip.com I see the squid real
>> IP address not the real client IP address, I would greatly appreciate
>> for
>> any idea to resolve this problem.
>>
>> Many thanks and Best Regards,
>> Saleh
>>
>>> 2011/9/19 Khemara Lyn <lin.kh_at_wicam.com.kh>:
>>>> Dear Sir Amos,
>>>>
>>>> Thank you for your response and being helpful always.
>>>>
>>>> My squid.conf does have that "forwarded_for on" but I think, those
>>>> public
>>>> upload/download file-sharing sites (fileserve, rapid share, etc.) are
>>>> smart
>>>> enough to detect the header.
>>>>
>>>> Or is there a way to find out all the IP ranges used by those sites?
>>>> I would like to be able to block those IP ranges in WCCP access list
>>>> so
>>>> that
>>>> accesses to those sites will bypass my Squid box.
>>>>
>>>> Regards,
>>>> Khem
>>>>
>>>> On 09/20/2011 08:53 AM, Amos Jeffries wrote:
>>>>>
>>>>> On Mon, 19 Sep 2011 14:59:54 +0700, Khemara Lyn wrote:
>>>>>>
>>>>>> On 09/18/2011 04:38 PM, Saleh Madi wrote:
>>>>>>>
>>>>>>> Dears,
>>>>>>>
>>>>>>> How could I configure the squid appear the clients real IP address
>>>>>>> instead of the squid IP address,
>>>>>>> the problem is that all clients get the same IP address which make
>>>>>>> problems in file sharing websites like mega upload, rapidshare and
>>>>>>> others
>>>>>>> websites
>>>>>>> we use squid in transparent mode with WCCP , please advice how to
>>>>>>> resolve this problem.
>>>>>>>
>>>>>>> Many thanks,
>>>>>>> Saleh Madi
>>>>>>>
>>>>>>>
>>>>>>>   Hi,
>>>>>>
>>>>>> I have the same query but doubt if it is possible at all, esp. with
>>>>>> WCCP.
>>>>>>
>>>>>> What I could do so far is that, I configure the Squid box to have
>>>>>> multiple IPs and multiple gateways (5 of them) with IPRoute2, "ip
>>>>>> route". Each time, it could appear as a different IP but still get
>>>>>> blocked by those file-sharing Web sites as you mentioned.
>>>>>>
>>>>>> I would greatly appreciate for any better idea.
>>>>>>
>>>>>> Thanks & regards,
>>>>>> Khem
>>>>>
>>>>>
>>>>> WCCP passes packets unchanged to the Squid box.
>>>>>
>>>>> You need two things:
>>>>>  1) to pass the IP through, using "forwarded_for on". Which permits
>>>>> Squid
>>>>> to send the X-Forwarded-For header with Client IP.
>>>>>  2) the website to be smart enough to make use of the header. Some
>>>>> sites
>>>>> do not support or choose not to trust that HTTP header.
>>>>>
>>>>>
>>>>> Alternatively you could setup a transparent proxy with the TPROXY
>>>>> feature.
>>>>> Spoofing the client inbound IP on the outbound traffic. This does
>>>>> work
>>>>> with
>>>>> WCCP, but is a bit tricky.
>>>>>  http://wiki.squid-cache.org/Features/Tproxy4
>>>>>
>>>>> Amos
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> Maybe you may use a spool of public keys and also use squid
>>> url_rewrite capabilitie of 2.7 to cache file so this will reduce that
>>> symptom. How may IP's, how to configure squid is not easy to say, it
>>> requires analysis but it is a workarround if the X-Forwarded doesnt
>>> work.
>>>
>>> Khem, it is nice to know of you. Please contact me offline.
>>>
>>> LD
>>> http://www.twitter.com/ldlq
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>>
>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
Received on Wed Sep 21 2011 - 12:43:17 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 21 2011 - 12:00:02 MDT