Configuration d'iptable pour Wccp sur serveur proxy squid3

PascalHambourg · Février 21, 2016, 8:09pm

Non, entre le routeur Cisco et la machine sur laquelle tourne squid (pas le processus squid lui-même qui n’a rien à voir là-dedans). Comme tu as activé ip_forward sur celle-ci, elle se comporte comme un routeur avec les paquets qu’elle reçoit et qui ne lui sont pas destinés. C’est le cas des deux paquets FIN et RST qu’on voit dans les logs, qui ont échappé à la règle de redirection (car n’appartenant à aucune connexion connue, ce qui n’est pas rare pour ces paquets pouvant être émis longtemps après que leur connexion a été oubliée). Leurs adresses et ports source et destination n’étant pas modifiés, ils sont retransmis par le routeur vers la machine du proxy (via le tunnel GRE) puis de celle-ci vers le routeur qui est défini dans sa route par défaut.

Je regarde les logs dès que j’ai un moment.

PascalHambourg · Février 21, 2016, 8:09pm

Il y a en majorité du trafic DNS, j’ai dû extraire les quelques lignes qui nous intéressent :

[code]=== syn/ack proxy
[182566.869585] OUTPUT IN= OUT=eth0 SRC=proxy DST=client LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3128 DPT=51185 WINDOW=14600 RES=0x00 ACK SYN URGP=0
[182567.269399] OUTPUT IN= OUT=eth0 SRC=proxy DST=client LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3128 DPT=51188 WINDOW=14600 RES=0x00 ACK SYN URGP=0
[182568.868668] OUTPUT IN= OUT=eth0 SRC=proxy DST=client LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3128 DPT=51186 WINDOW=14600 RES=0x00 ACK SYN URGP=0
=== fin client
[182569.319251] PREROUTING IN=eth0 OUT= MAC=ac:16:2d:8d:86:50:00:25:84:46:e2:84:08:00 SRC=195.24.195.178 DST=proxy LEN=68 TOS=0x00 PREC=0x00 TTL=255 ID=20463 PROTO=GRE
[182569.319269] INPUT IN=eth0 OUT= MAC=ac:16:2d:8d:86:50:00:25:84:46:e2:84:08:00 SRC=195.24.195.178 DST=proxy LEN=68 TOS=0x00 PREC=0x00 TTL=255 ID=20463 PROTO=GRE
[182569.319293] PREROUTING IN=gre0 OUT= MAC= SRC=client DST=54.243.154.85 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=8056 DF PROTO=TCP SPT=51110 DPT=80 WINDOW=16425 RES=0x00 ACK FIN URGP=0
[182569.319306] FORWARD IN=gre0 OUT=eth0 MAC= SRC=client DST=54.243.154.85 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=8056 DF PROTO=TCP SPT=51110 DPT=80 WINDOW=16425 RES=0x00 ACK FIN URGP=0

=== syn client
[182570.575418] PREROUTING IN=eth0 OUT= MAC=ac:16:2d:8d:86:50:00:25:84:46:e2:84:08:00 SRC=195.24.195.178 DST=proxy LEN=80 TOS=0x00 PREC=0x00 TTL=255 ID=20464 PROTO=GRE
[182570.575436] INPUT IN=eth0 OUT= MAC=ac:16:2d:8d:86:50:00:25:84:46:e2:84:08:00 SRC=195.24.195.178 DST=proxy LEN=80 TOS=0x00 PREC=0x00 TTL=255 ID=20464 PROTO=GRE
[182570.575460] PREROUTING IN=gre0 OUT= MAC= SRC=client DST=212.71.234.61 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=8058 DF PROTO=TCP SPT=51189 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
[182570.575477] INPUT IN=gre0 OUT= MAC= SRC=client DST=proxy LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=8058 DF PROTO=TCP SPT=51189 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
=== syn/ack proxy
[182570.575509] OUTPUT IN= OUT=eth0 SRC=proxy DST=client LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3128 DPT=51189 WINDOW=14600 RES=0x00 ACK SYN URGP=0
[182571.067665] OUTPUT IN= OUT=eth0 SRC=proxy DST=client LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3128 DPT=51187 WINDOW=14600 RES=0x00 ACK SYN URGP=0
[182571.667400] OUTPUT IN= OUT=eth0 SRC=proxy DST=client LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3128 DPT=51189 WINDOW=14600 RES=0x00 ACK SYN URGP=0

=== syn client
[182572.464105] PREROUTING IN=eth0 OUT= MAC=ac:16:2d:8d:86:50:00:25:84:46:e2:84:08:00 SRC=195.24.195.178 DST=proxy LEN=80 TOS=0x00 PREC=0x00 TTL=255 ID=20465 PROTO=GRE
[182572.464122] INPUT IN=eth0 OUT= MAC=ac:16:2d:8d:86:50:00:25:84:46:e2:84:08:00 SRC=195.24.195.178 DST=proxy LEN=80 TOS=0x00 PREC=0x00 TTL=255 ID=20465 PROTO=GRE
[182572.464147] PREROUTING IN=gre0 OUT= MAC= SRC=client DST=199.16.131.155 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=8066 DF PROTO=TCP SPT=51190 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
[182572.464163] INPUT IN=gre0 OUT= MAC= SRC=client DST=proxy LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=8066 DF PROTO=TCP SPT=51190 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
=== syn/ack proxy
[182572.464193] OUTPUT IN= OUT=eth0 SRC=proxy DST=client LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3128 DPT=51190 WINDOW=14600 RES=0x00 ACK SYN URGP=0
[182573.466577] OUTPUT IN= OUT=eth0 SRC=proxy DST=client LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3128 DPT=51190 WINDOW=14600 RES=0x00 ACK SYN URGP=0
[/code]
On voit que squid répond bien aux paquets SYN en renvoyant des SYN/ACK au client sur eth0, mais visiblement pas de réponse de ce dernier, d’où des retransmissions des SYN/ACK.

Hypothèses :

les paquets SYN/ACK émis par squid sont bloqués sur la machine avant d’être émis physiquement sur eth0 (mais je ne vois pas pourquoi/comment), à vérifier avec une capture de paquets sur eth0 juste après la réception de paquets GRE ;
les paquets sont bloqués sur le réseau après la sortie de la machine (switch L3 filtrant sur l’adresse source ?), doit pouvoir être vérifié par capture de paquets sur la machine cliente ;
les paquets SYN/ACK sont bien reçus par le client mais les paquets suivants émis par celui-ci ne sont pas redirigés au proxy par le routeur (mais je ne vois pas pourquoi).

sayafried · Février 21, 2016, 8:10pm

Ta première hypothese me semble être la bonne :

En effet voici des captures comparative de tcpdump sur gre0 et eth0 (quasi) au même moment:

gre0:

11:10:26.978320 IP 172.16.0.227.50487 > feijoa.canonical.com.http: Flags [S], seq 673563942, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], l ength 0 11:10:28.553978 IP 172.16.0.227.50488 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [S], seq 3819183309, win 8192, options [mss 14 60,nop,wscale 2,nop,nop,sackOK], length 0 11:10:33.221630 IP 172.16.0.227.50489 > feijoa.canonical.com.http: Flags [S], seq 3128495348, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:10:34.281548 IP 172.16.0.227.50490 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [S], seq 1398699051, win 8192, options [mss 14 60,nop,wscale 2,nop,nop,sackOK], length 0 11:10:35.691469 IP 172.16.0.227.50484 > feijoa.canonical.com.http: Flags [R], seq 2445446324, win 0, length 0 11:10:37.245604 IP 172.16.0.227.50485 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [R], seq 4104619716, win 0, length 0 11:10:46.192452 IP 172.16.0.227.50486 > wi-in-f113.1e100.net.http: Flags [R], seq 349911374, win 0, length 0 11:10:52.163280 IP 172.16.0.227.50491 > feijoa.canonical.com.http: Flags [S], seq 111295756, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], l ength 0 11:10:53.208427 IP 172.16.0.227.50492 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [S], seq 2268426704, win 8192, options [mss 14 60,nop,wscale 2,nop,nop,sackOK], length 0 11:10:56.979575 IP 172.16.0.227.50487 > feijoa.canonical.com.http: Flags [R], seq 673563943, win 0, length 0 11:10:58.592426 IP 172.16.0.227.50488 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [R], seq 3819183310, win 0, length 0 11:11:03.243874 IP 172.16.0.227.50489 > feijoa.canonical.com.http: Flags [R], seq 3128495349, win 0, length 0 11:11:04.299397 IP 172.16.0.227.50490 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [R], seq 1398699052, win 0, length 0 11:11:06.342601 IP 172.16.0.227.50493 > feijoa.canonical.com.http: Flags [S], seq 3908403854, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:11:07.584705 IP 172.16.0.227.50494 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [S], seq 80809319, win 8192, options [mss 1460 ,nop,wscale 2,nop,nop,sackOK], length 0 11:11:15.100664 IP 172.16.0.227.50497 > ea-in-f94.1e100.net.http: Flags [S], seq 3270843124, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], l ength 0 11:11:22.177295 IP 172.16.0.227.50491 > feijoa.canonical.com.http: Flags [R], seq 111295757, win 0, length 0 11:11:23.219712 IP 172.16.0.227.50492 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [R], seq 2268426705, win 0, length 0 11:11:25.274458 IP 172.16.0.227.50498 > feijoa.canonical.com.http: Flags [S], seq 2805931759, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:11:26.506218 IP 172.16.0.227.50499 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [S], seq 1876567457, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:11:36.348924 IP 172.16.0.227.50493 > feijoa.canonical.com.http: Flags [R], seq 3908403855, win 0, length 0 11:11:36.427886 IP 172.16.0.227.50502 > ea-in-f94.1e100.net.http: Flags [S], seq 3404560703, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:11:37.629938 IP 172.16.0.227.50494 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [R], seq 80809320, win 0, length 0 11:11:44.749747 IP 172.16.0.227.50503 > ec2-107-22-217-161.compute-1.amazonaws.com.http: Flags [S], seq 238846686, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:11:45.104689 IP 172.16.0.227.50497 > ea-in-f94.1e100.net.http: Flags [R], seq 3270843125, win 0, length 0 11:11:55.276851 IP 172.16.0.227.50498 > feijoa.canonical.com.http: Flags [R], seq 2805931760, win 0, length 0 11:11:56.536864 IP 172.16.0.227.50499 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [R], seq 1876567458, win 0, length 0 11:11:57.974773 IP 172.16.0.227.50504 > feijoa.canonical.com.http: Flags [S], seq 4144376567, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:11:59.095727 IP 172.16.0.227.50505 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [S], seq 952750345, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:12:06.437157 IP 172.16.0.227.50502 > ea-in-f94.1e100.net.http: Flags [R], seq 3404560704, win 0, length 0 11:12:14.756184 IP 172.16.0.227.50503 > ec2-107-22-217-161.compute-1.amazonaws.com.http: Flags [R], seq 238846687, win 0, length 0 11:12:16.897049 IP 172.16.0.227.50506 > feijoa.canonical.com.http: Flags [S], seq 2030370736, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:12:18.013514 IP 172.16.0.227.50507 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [S], seq 976051597, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 11:12:27.993597 IP 172.16.0.227.50504 > feijoa.canonical.com.http: Flags [R], seq 4144376568, win 0, length 0 11:12:29.134078 IP 172.16.0.227.50505 > a172-228-182-151.deploy.static.akamaitechnologies.com.http: Flags [R], seq 952750346, win 0, length 0

eth0:

11:13:23.765070 IP 172.16.0.227.49662 > server-intra-01.local.ssh: Flags [.], ack 2244552, win 15587, length 0
11:13:23.766257 IP 172.16.0.227.49662 > server-intra-01.local.ssh: Flags [.], ack 2244684, win 16425, length 0
11:13:23.766984 IP 172.16.0.227.49662 > server-intra-01.local.ssh: Flags [P.], seq 10625:10677, ack 2244684, win 16425, length 52
11:13:23.767063 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2244684:2244752, ack 10677, win 160, length 68
11:13:23.767109 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2244752:2245300, ack 10677, win 160, length 548
11:13:23.767508 IP 172.16.0.227.49662 > server-intra-01.local.ssh: Flags [.], ack 2245300, win 16271, length 0
11:13:23.791142 IP6 fe80::25fa:2bdc:aaca:ad55 > ff02::1:ff1d:7f56: ICMP6, neighbor solicitation, who has fe80::4444:9ed:111d:7f56, length 32
11:13:23.826329 ARP, Request who-has 192.168.36.2 tell 192.168.36.22, length 46
11:13:23.876272 IP6 fe80::8928:acfd:a45f:398a > ff02::1:ff1d:7f56: ICMP6, neighbor solicitation, who has fe80::4444:9ed:111d:7f56, length 32
11:13:23.900234 IP6 fe80::2450:d701:9f6c:462d.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
11:13:23.945485 IP anneoben-pc.diplocam.cm.58002 > 255.255.255.255.10019: UDP, length 128
11:13:23.964265 IP anneoben-pc.diplocam.cm.58003 > 255.255.255.255.10007: UDP, length 128
11:13:23.976683 ARP, Request who-has 192.168.36.2 tell 192.168.36.57, length 46
11:13:24.019650 IP server_dc02.diplocam.cm.domain > server-intra-01.diplocam.cm.48095: 63606 NXDomain 0/1/0 (160)
11:13:24.019822 IP server-intra-01.diplocam.cm.45318 > server_dc02.diplocam.cm.domain: 52891+ PTR? 6.5.f.7.d.1.1.1.d.e.9.0.4.4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
11:13:24.047736 IP d3-sec1-pc.diplocam.cm.netbios-ns > 172.16.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:13:24.227460 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2245300:2245736, ack 10677, win 160, length 436
11:13:24.227527 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2245736:2246044, ack 10677, win 160, length 308
11:13:24.227593 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2246044:2246592, ack 10677, win 160, length 548
11:13:24.227632 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2246592:2246996, ack 10677, win 160, length 404
11:13:24.227685 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2246996:2247272, ack 10677, win 160, length 276
11:13:24.227723 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2247272:2247612, ack 10677, win 160, length 340
11:13:24.227755 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2247612:2247904, ack 10677, win 160, length 292
11:13:24.227806 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2247904:2248212, ack 10677, win 160, length 308
11:13:24.227838 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [P.], seq 2248212:2248504, ack 10677, win 160, length 292
11:13:24.227895 IP server-intra-01.diplocam.cm.58979 > server_dc02.diplocam.cm.domain: 20576+ PTR? 22.36.168.192.in-addr.arpa. (44)
11:13:24.227928 IP 172.16.0.227.49662 > server-intra-01.local.ssh: Flags [.], ack 2246044, win 16085, length 0
11:13:24.228095 IP 172.16.0.227.49662 > server-intra-01.local.ssh: Flags [.], ack 2246996, win 16425, length 0
11:13:24.228135 IP 172.16.0.227.49662 > server-intra-01.local.ssh: Flags [.], ack 2247904, win 16198, length 0
11:13:24.228247 IP 172.16.0.227.49662 > server-intra-01.local.ssh: Flags [.], ack 2248504, win 16425, length 0
11:13:24.229296 IP 172.16.0.227.49662 > server-intra-01.local.ssh: Flags [P.], seq 10677:10729, ack 2248504, win 16425, length 52
11:13:24.229886 IP6 fe80::ef:e4cf:9599:83d9 > ff02::1:ff1d:7f56: ICMP6, neighbor solicitation, who has fe80::4444:9ed:111d:7f56, length 32
11:13:24.267474 IP server-intra-01.local.ssh > 172.16.0.227.49662: Flags [.], ack 10729, win 160, length 0
11:13:24.279748 IP6 fe80::2ce2:939f:a883:8f6 > ff02::1:ff1d:7f56: ICMP6, neighbor solicitation, who has fe80::4444:9ed:111d:7f56, length 32
11:13:24.345761 IP server_dc02.diplocam.cm.domain > server-intra-01.diplocam.cm.53370: 36506 NXDomain 0/1/0 (160)
11:13:24.345794 IP server-intra-01.diplocam.cm > server_dc02.diplocam.cm: ICMP server-intra-01.diplocam.cm udp port 53370 unreachable, length 196
11:13:24.359113 ARP, Request who-has 172.16.3.11 tell 172.16.1.42, length 46
...........

Il semble que aucun paquet relatif à http n’est émis sur eth0 au même moment.
La deuxieme ne me semble pas possible parce que aucun filtre n’est appliqué sur un quelconque switch L3(Vu qu’il n’y en a pas!!!).

PascalHambourg · Février 21, 2016, 8:10pm

Soyons sérieux, il y a 3 minutes d’écart entre les deux captures, comment veux-tu les corréler ? On ne voit même pas de trafic GRE dans la capture sur eth0.

Recommandations minimales :

désactiver la résolution de nom inverse (-n)
ignorer le trafic SSH (not port 22)