Transparent Squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Transparent Squid

LINGYUN ZHAO

Dear Squid team,


I need Squid as a real 'transparent' proxy on Fedora without changing 5 tuples. Is it possible?


The setup is simple as Client ---------- Fedora --------Server

The Squid version is 3.5.20.The key configuration on Squid as below:

   http_port 0.0.0.0:3128 transparent

   acl localnet src 10.0.0.0/24

   http_access allow localnet

And I configured a NAT on Fedora. 

   iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.0.0.1:3128


When I run curl on Client to server. I found the server receives the traffic with Fedora's IP address and different source port, instead of Client IP address and original source port.


Thanks a lot



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent Squid

Matus UHLAR - fantomas
On 27.11.17 11:24, LINGYUN ZHAO wrote:
>I need Squid as a real 'transparent' proxy on Fedora without changing 5
>tuples. Is it possible?

tuples?

>The setup is simple as Client ---------- Fedora --------Server

is fedora NAT device and also running squid?

>The Squid version is 3.5.20.The key configuration on Squid as below:
>
>   http_port 0.0.0.0:3128 transparent
>
>   acl localnet src 10.0.0.0/24
>
>   http_access allow localnet
>
>And I configured a NAT on Fedora.
>
>   iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
>10.0.0.1:3128

this only works if "fedora" does the NAT and runs squid.
(just for sure)

>When I run curl on Client to server. I found the server receives the
>traffic with Fedora's IP address and different source port, instead of
>Client IP address and original source port.

when you redirect traffic tyo the squid and squid connect to the server,
it's logical that server sees squid's IP.

if you want to keep source client's IP, you need tproxy:
https://wiki.squid-cache.org/Features/Tproxy4


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent Squid

Amos Jeffries
Administrator
On 29/11/17 02:03, Matus UHLAR - fantomas wrote:
> On 27.11.17 11:24, LINGYUN ZHAO wrote:
>> I need Squid as a real 'transparent' proxy on Fedora without changing 5
>> tuples. Is it possible?
>
> tuples?
>

The technical name for an entry in the system NAT table is a 3-tuple or
4-tuple.

Though what a "5 tuples" means interests me. There are not 5 IP and port
details in a TCP message. Only two of each.



>> The setup is simple as Client ---------- Fedora --------Server
>
> is fedora NAT device and also running squid?
>
>> The Squid version is 3.5.20.The key configuration on Squid as below:
>>
>>   http_port 0.0.0.0:3128 transparent
>>
>>   acl localnet src 10.0.0.0/24
>>
>>   http_access allow localnet
>>
>> And I configured a NAT on Fedora.
>>
>>   iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
>> 10.0.0.1:3128
>
> this only works if "fedora" does the NAT and runs squid.
> (just for sure)
>
>> When I run curl on Client to server. I found the server receives the
>> traffic with Fedora's IP address and different source port, instead of
>> Client IP address and original source port.
>
> when you redirect traffic tyo the squid and squid connect to the server,
> it's logical that server sees squid's IP.

Not just logical. That is how NAT works and why "transparent" is such a
wrong way to describe NAT interception.


>
> if you want to keep source client's IP, you need tproxy:
> https://wiki.squid-cache.org/Features/Tproxy4
>

Indeed.

  ... and to answer what appears to be the original question directly:

   No you cannot make Squid use both src-IP *and* src-port from the
client details. They are already being used by the client TCP connection.


All you can do is pick between one of them or neither.

For "neither" use NAT. NAT interception is *not* transparent - the Squid
machines IP:port always used on outgoing traffic to servers. Otherwise
you break the routing system or the NAT system.


For "one" use TPROXY. T(ransparent)PROXY uses only the client src-IP.
The difference in src-port is the only way to distinguish the packets
arriving into the Squid machine from server.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users