From owner-freebsd-questions@FreeBSD.ORG  Thu Jun  9 01:51:40 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D144216A41C
	for <freebsd-questions@freebsd.org>;
	Thu,  9 Jun 2005 01:51:40 +0000 (GMT)
	(envelope-from khaled.abu@gmail.com)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3218143D4C
	for <freebsd-questions@freebsd.org>;
	Thu,  9 Jun 2005 01:51:39 +0000 (GMT)
	(envelope-from khaled.abu@gmail.com)
Received: by wproxy.gmail.com with SMTP id 69so25033wra
	for <freebsd-questions@freebsd.org>;
	Wed, 08 Jun 2005 18:51:39 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=CyV/al1NPFmfI8ZQCMnKD9FODopBiEPkJlFuSZ3cYYpWrb9AeueEEKpY51YRGEa9WxCTNCNNNUJgii5pXAnlZbNixuspKdktYaXdM/rL9X78ciLXMrxk+ZGHBygJHTM62pqPU/bLkQQO29PjD9iKGgynDULDgNH92fJxOuclD8k=
Received: by 10.54.77.7 with SMTP id z7mr62733wra;
	Wed, 08 Jun 2005 18:51:39 -0700 (PDT)
Received: by 10.54.66.16 with HTTP; Wed, 8 Jun 2005 18:51:39 -0700 (PDT)
Message-ID: <a64c109e05060818514f52be24@mail.gmail.com>
Date: Thu, 9 Jun 2005 04:51:39 +0300
From: Abu Khaled <khaled.abu@gmail.com>
To: freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Cc: freebsd-isp@freebsd.org
Subject: Squid transparent proxy masquerading as Client IPs
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Abu Khaled <khaled.abu@gmail.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2005 01:51:41 -0000

Some ISPs use Linux with tproxy kernel patch to masquerade the
requests from clients and make them appear as if they came from the
client with no proxy connection. After digging around the squid-cache
archives and mailing lists, Henrik Nordstrom suggested using
tcp_outgoing_address and nat to achieve the same on FreeBSD and Squid
in transparent (intercepting mode).

The Idea is to assign for each Client a private IP on the Squid Server
(as aliases worked fine). In squid.conf we add

header_access Via deny all
header_access X-Forwarded-For deny all
# this removes both headers

# and for each client we need
acl clientxxx src <real ip>=20
tcp_outgoing_address <private ip> clientxxx

Squid binds requests from clientxxx's <real ip> to the <private ip>
then we nat those to the <real ip> making the request appear as if it
came directly from the client not the proxy.

To make things easy I used two scripts.
=20
1. I added the add-alias.sh script to /etc/rc.local to create the
aliases on startup

# < add-alias.sh > start
IP=3D110
MAXIP=3D150
PRIV=3D10.10.10
ALIASIF=3D<Ethernet Interface>
# I used lo0 to do the aliases on
# Also I tested a virtual interface (netgraph)
# Just to make sure no conflicts with transparent proxy rules (loops)
while [ $IP -le $MAXIP ]
do
        if !( ifconfig $ALIASIF inet $PRIV.$IP netmask 0xffffffff alias ) t=
hen
                echo Error Creating Alias $PRIV.$IP on $ALIASIF
                exit
        fi
IP=3D$(( $IP + 1 ))
done
# < add-alias.sh > end

2. The squid-ipnat.sh script deletes the old ipnat.conf file and
creates a new one with rules for the external interface. It also
creates 2 files with ACLs for squid I used it once to create the
ipnat.conf file and keep it just in case I need to change the IPs
(real/private). And the 2 files with ACLs for squid were used to copy
and paste the ACLs to squid.conf. Oh ya backup you configuration files
just in case.

# < squid-ipnat.sh > start
IP=3D110
MAXIP=3D150
PRIV=3D10.10.10
REAL=3Dxxx.xxx.xxx
EXTIF=3D<External Interface>
# I used the external interface for nat=20
cd <path to ipnat>
rm ipnat.conf          # carefull deletes old ipnat.conf file
rm squid_acl.conf
rm squid_tcp.conf
while [ $IP -le $MAXIP ]
do
     echo "bimap $EXTIF from $PRIV.$IP/32 to 0.0.0.0/0 port =3D 80 ->
$REAL.$IP/32" >> ipnat.conf
     echo "acl Client$IP src $REAL.$IP" >> squid_acl.conf
     echo "tcp_outgoing_address $PRIV.$IP Client$IP" >> squid_tcp.conf
# Client$IP is the name for the ACL expands from Client110 to Client150
# squid_acl.conf and squid_tcp.conf end in <path to ipnat> copy and
paste to squid.conf both
IP=3D$(( $IP + 1 ))
done
# < squid-ipnat.sh > end

As you can see, I used IPNAT's bimap and tested the configuration for
40+ clients.
My network is small and I wonder if someone can use this to test a
larger network. Also test PF or IPFW/DIVERT/NAT and see what performs
better or just for fun.

One last note the tcp_outgoing_address does not follow the
X-Forwarded-For patch and it caused me to lose my head since I had
Dansguardian in front of Squid. The Delay pools followed-X fine and
that caused me to think there was a problem with my configuration.
After Disabling Dansguardian the configuration worked as expected. So
do not wonder if it does not work if you use another proxy before
squid.

--=20
Kind regards
Abu Khaled