Last week I examined squid webproxy code to understand how this tproxy thing works. I realized that developers get most of tproxy code in kernel. So in user level, all you have to create a socket:*

socketfd=socket(AF_UNIX, SOCK_STREAM, IPPROTO_TCP);

get its IP_TRANSPARENT(19) options set:

int val = 1;
setsockopt(socketfd, SOL_IP, IP_TRANSPARENT, (char *) &val, sizeof(int));

and bind it with required spoofing address:

bind(socketfd, (struct sockaddr *) &addr,sizeof(struct sockaddr_un));

after all of these, when you connect someones listening port, they will see your ip address as spoofed. But ofcourse you need to have your kernel compiled with TPROXY support.

Reason of why i dig this out is that, I need to run squid in tproxied chain mode on the same machine. When I made quick search the web, everyone says squid only operates in tproxied mode as long as it gets request from iptables. So how do we create a setup like [squid] --> [dansquardian] --> [squid] with tproxy? I asked this question to Amos Jeffries and he replied that they added this feature to squid 3.2 but haven't test it.

I tested this out and I can say it works like a charm.

I configured two squid named squid-1 and squid-2. Squid-1 is the initial one which gets the request from iptables redirection.

In squid-1 configuration file:

http_port 50080 tproxy
forwarded_for on
cache_peer 127.0.0.1 parent 50081 0 no-query login=*:nopassword no-netdb-exchange no-digest no-tproxy

In squid-2 configuration file:

http_port 50081 tproxy
forwarded_for on
follow_x_forwarded_for allow all
tproxy_uses_indirect_client on

Please be warned to allow follow_x_forwarded_for only for necessary ones. It will cause to security leak in your setup.

You can add dansguardian process between these two squid by redirecting flow to dansguardian port with cache_peer option.

Of course you also need to configure dansguardian to send requests to squid-2.

You can reach how to configure other things such as iptables, ebtables by this link.



Ali Demiroz

I am a software developer, life-long learner and time-pemitted gamer!

blog comments powered by Disqus