Enable tproxy in Squid 3.5 running on Debian 9

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Enable tproxy in Squid 3.5 running on Debian 9

xpro6000
I'm trying to setup tproxy with Squid 3.5 for the purpose of having the same outgoing ip as the connecting ip. (I have thousands of IPs and I can not add them one by one)

I started with a fresh install of Debian 9, installed Squid by

apt install squid

then I added 

http_port 3129 tproxy

to squid.conf

I then ran the following commands for iptables

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129


I can use the proxy with no problems on port 3128, but on Firefox I get a message "The proxy server is refusing connections" when I set the proxy to port 3129. Did I miss any steps or am I doing something wrong?

below is my full squid.conf file

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow all
http_port 3128
http_port 3129 tproxy
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable tproxy in Squid 3.5 running on Debian 9

Amos Jeffries
Administrator
On 05/10/17 15:01, xpro6000 wrote:

> I'm trying to setup tproxy with Squid 3.5 for the purpose of having the
> same outgoing ip as the connecting ip. (I have thousands of IPs and I
> can not add them one by one)
>
> I started with a fresh install of Debian 9, installed Squid by
>
> apt install squid
>
> then I added
>
> http_port 3129 tproxy
>
> to squid.conf
>
> I then ran the following commands for iptables
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
>
>
> I can use the proxy with no problems on port 3128, but on Firefox I get
> a message "The proxy server is refusing connections" when I set the
> proxy to port 3129. Did I miss any steps or am I doing something wrong?

You missed the fact that TPROXY is an MITM operation. You *cannot* setup
the browser to use the proxy directly to its tproxy port. You have to
route the packets to the proxy machine without any explicit browser or
client configuration.

Only the Squid machine bits (and thus behaviour) are different with
TPROXY vs NAT interception.

...
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access allow all

Do not do "allow all" like this. Setup the localnet ACL to your LAN
range(s) properly and only allow those clients through the proxy.

Then you can use the recommended default:
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow localhost
  http_access deny manager
  http_access allow localnet
  http_access deny all

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable tproxy in Squid 3.5 running on Debian 9

xpro6000
I'm back to square one then, and it looks like there is no way to tell Squid to use the same connecting ip for the outgoing ip, which is what I need.

On Thu, Oct 5, 2017 at 3:49 AM, Amos Jeffries <[hidden email]> wrote:
On 05/10/17 15:01, xpro6000 wrote:
I'm trying to setup tproxy with Squid 3.5 for the purpose of having the same outgoing ip as the connecting ip. (I have thousands of IPs and I can not add them one by one)

I started with a fresh install of Debian 9, installed Squid by

apt install squid

then I added

http_port 3129 tproxy

to squid.conf

I then ran the following commands for iptables

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129


I can use the proxy with no problems on port 3128, but on Firefox I get a message "The proxy server is refusing connections" when I set the proxy to port 3129. Did I miss any steps or am I doing something wrong?

You missed the fact that TPROXY is an MITM operation. You *cannot* setup the browser to use the proxy directly to its tproxy port. You have to route the packets to the proxy machine without any explicit browser or client configuration.

Only the Squid machine bits (and thus behaviour) are different with TPROXY vs NAT interception.

...
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow all

Do not do "allow all" like this. Setup the localnet ACL to your LAN range(s) properly and only allow those clients through the proxy.

Then you can use the recommended default:
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost
 http_access deny manager
 http_access allow localnet
 http_access deny all

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable tproxy in Squid 3.5 running on Debian 9

Alex K
You will need to transpareny redirect the traffic and not explicitly pointing your browser to squid. Seems that the mentioned firewall rules are correct. You will need a policy route also for the marked traffic.

On Oct 5, 2017 7:54 PM, "xpro6000" <[hidden email]> wrote:
I'm back to square one then, and it looks like there is no way to tell Squid to use the same connecting ip for the outgoing ip, which is what I need.

On Thu, Oct 5, 2017 at 3:49 AM, Amos Jeffries <[hidden email]> wrote:
On 05/10/17 15:01, xpro6000 wrote:
I'm trying to setup tproxy with Squid 3.5 for the purpose of having the same outgoing ip as the connecting ip. (I have thousands of IPs and I can not add them one by one)

I started with a fresh install of Debian 9, installed Squid by

apt install squid

then I added

http_port 3129 tproxy

to squid.conf

I then ran the following commands for iptables

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129


I can use the proxy with no problems on port 3128, but on Firefox I get a message "The proxy server is refusing connections" when I set the proxy to port 3129. Did I miss any steps or am I doing something wrong?

You missed the fact that TPROXY is an MITM operation. You *cannot* setup the browser to use the proxy directly to its tproxy port. You have to route the packets to the proxy machine without any explicit browser or client configuration.

Only the Squid machine bits (and thus behaviour) are different with TPROXY vs NAT interception.

...
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow all

Do not do "allow all" like this. Setup the localnet ACL to your LAN range(s) properly and only allow those clients through the proxy.

Then you can use the recommended default:
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost
 http_access deny manager
 http_access allow localnet
 http_access deny all

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable tproxy in Squid 3.5 running on Debian 9

Eliezer Croitoru
In reply to this post by xpro6000
Hey,

Can you clarify the network topology of your setup?
Also is squid another machine on lan and you are using another router or squid sits in the a DMZ?
Can you add ip addresses of:
- client machine
- squid
- router of this network?

Thanks,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of xpro6000
Sent: Thursday, October 5, 2017 19:54
To: Amos Jeffries <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Enable tproxy in Squid 3.5 running on Debian 9

I'm back to square one then, and it looks like there is no way to tell Squid to use the same connecting ip for the outgoing ip, which is what I need.

On Thu, Oct 5, 2017 at 3:49 AM, Amos Jeffries <mailto:[hidden email]> wrote:
On 05/10/17 15:01, xpro6000 wrote:
I'm trying to setup tproxy with Squid 3.5 for the purpose of having the same outgoing ip as the connecting ip. (I have thousands of IPs and I can not add them one by one)

I started with a fresh install of Debian 9, installed Squid by

apt install squid

then I added

http_port 3129 tproxy

to squid.conf

I then ran the following commands for iptables

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129


I can use the proxy with no problems on port 3128, but on Firefox I get a message "The proxy server is refusing connections" when I set the proxy to port 3129. Did I miss any steps or am I doing something wrong?

You missed the fact that TPROXY is an MITM operation. You *cannot* setup the browser to use the proxy directly to its tproxy port. You have to route the packets to the proxy machine without any explicit browser or client configuration.

Only the Squid machine bits (and thus behaviour) are different with TPROXY vs NAT interception.

...
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow all

Do not do "allow all" like this. Setup the localnet ACL to your LAN range(s) properly and only allow those clients through the proxy.

Then you can use the recommended default:
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost
 http_access deny manager
 http_access allow localnet
 http_access deny all

Amos
_______________________________________________
squid-users mailing list
mailto:[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users