3

I found today, that I have open proxy (squid on Debian). I fixed the firewall rule, and now I'm not. But someone still uses this proxy - it looks like it is proxying from inside my machine. I try to find which process is using my proxy.

I have Debian with lxc-containers. squid is in one container (172.16.0.2), and I think, that process which is using my squid is on the host machine: 

1520955127.112     43 172.16.0.1 TCP_MISS/200 585 GET http://766dsw.top/ - HIER_DIRECT/54.36.219.10 text/html

How to get the process? (Maybe it isn't from inside?) I run the iptables -j LOG, and got this:

Mar 13 18:14:56 zenon kernel: FORWARD  IN=enp2s0 OUT=lxcbr0 MAC=00:19:b9:1c:83:c4:00:1d:aa:cf:bd:a0:08:00 SRC=101.254.225.243 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=14541 DF PROTO=TCP SPT=49875 DPT=8080 WINDOW=256 RES=0x00 ACK URGP=0

but I remove every rule of prerouting from firewall about 8080 port and 172.16.0.2 address... and of course iptables -A FORWARD -P DROP

and somehow it still passes....

Tomasz Brzezina
  • 141
  • 5

1 Answers1

1

Finally found the problem - of course it was firewall.

I use droplist from this tutorial and put rules iptables -I FORWARD -j droplist somewhere in the middle of rules. But this rule has to be first rule

#!/bin/bash
_input="/root/blocked.ip.db"
IPT=/sbin/iptables

$IPT -F 
$IPT -F nat
$IPT -A INPUT -P DROP
$IPT -A OUTPUT -P DROP
$IPT -A FORWARD -P DROP

$IPT -X droplist
$IPT -N droplist
egrep -v "^#|^$" $_input | while IFS= read -r ip
do
    $IPT -A droplist -i eth1 -s $ip -j LOG --log-prefix "IP BlockList "
    $IPT -A droplist -i eth1 -s $ip -j DROP
done


# Drop it
$IPT -I INPUT -j droplist
$IPT -I OUTPUT -j droplist
$IPT -I FORWARD -j droplist


and the rest of the rules
Tomasz Brzezina
  • 141
  • 5