Squid transparent proxy breaks 1:1 NAT + NAT reflection



  • Hi,

    I've come upon a fun little issue that took me a couple of hours to nail down. If you're wondering why I'm posting this on the NAT board, please bear with me as I'll have to go into the details of my setup first:

    • 4 interfaces: WAN, LAN (bge0), DMZ (em0), GUEST (em1)
    • DMZ subnet is private ips, using 1:1 NAT and IP Alias with reflection redirects to map incoming traffic from the other interfaces and from the internet onto my public webservers
    • GUEST network is on a different private subnet. I tested the Squid package here.

    Quick tests show it working properly when I configure my browser to use the proxy to access pages on the internet.

    Now comes the fun part:

    I set it up as a transparent proxy along with the "Bypass proxy for Private Address Space (RFC 1918) destination" setting checked.
    As expected, the proxy catches all traffic going to internet sites and caches it. When I try to access my DMZ hosts though, something funny happens: instead of my usual homepages, I get the pfsense login screen with the familiar DNS rebind attack warning.
    No such issue with the https encrypted traffic to the same pages (which of course doesn't go through the proxy). Also no issues getting to my DMZ sites using their private IPs.

    So what happened?

    I've looked around this forum and used what google-fu I had this Friday and came to the following conclusion:

    The transparent proxy is using redirect rules to catch TCP traffic on port 80 and send that to the proxy.
    As it happens, 1:1 NAT is also using redirect rules to catch TCP traffic and send it to a different host.

    The /tmp/rules.debug look as follows:

    
    # Setup Squid proxy redirect
    no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
    rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
    #
    #
    #
    # Reflection redirects and NAT for 1:1 mappings
    rdr on { bge0 em0 em1 } from any to aaa.bbb.ccc.ddd -> 192.168.ccc.ddd bitmask
    no nat on em0 from em0 to 192.168.ccc.ddd
    nat on em0 from 192.168.ccc.ddd/27 to 192.168.ccc.ddd -> em0 port 1024:65535
    
    

    I think what happens is that Squid rules are taking precedence, thus not applying any of my 1:1 NAT and Reflection redirects.

    Traffic coming in on the GUEST interfaces and headed for the DMZ is taken out of the transparent proxy redirects, but also out of the refection redirects that are later applied.

    Further testing shows that even in regular (non-transparent) proxy mode, accessing one of my DMZ servers via the proxy on its public IP address leads not to the server but rather to my pfSense box.

    Now, I'd love to use a transparent proxy AND be able to still access hosts inside the DMZ. On my GUEST subnet I figured out a workaround using split DNS, thus sending requests directly to the private DMZ subnet. This however fails the moment a client opens a VPN connection (even in split-tunnel mode) and thus has access to real DNS data.

    My guess: Squid is bound to the loopback interface instead of a real interface, thus ignoring all the nice preppy redirect and reflection rules that seem to only be applied to my physical interfaces.

    Is it possible to add the redirect rules for NAT reflection to the loopback interface as well?

    Best regards,

    -Jan



  • Disable the Squid transparent proxy redirect and make your own similar port forward with your local networks excluded from the destination.  For example, you could have a MyLocalNetworks alias and have the destination for your port forward as not MyLocalNetworks (checking the "not" box).  Everything else should be the same as the information from the rules file - same interface, TCP protocol, source any, destination port 80, redirect IP 127.0.0.1, redirect port 3128.



  • How do you disable the squid transparent proxy redirect?


  • Rebel Alliance Developer Netgate

    you could just add your external 1:1 subnet(s) to the destination bypass box in the squid config. No need to go the manual route.



  • Thanks!


Log in to reply