Dear all, This isn't entirely a squid question but more like a "transparent proxying" question (which I'm hoping you guys will be able to help me with)...
As I started playing around with transparent ssl proxying, I learned that Chrome uses an alternate communication (UDP based) protocol called QUIC. When the browser uses that protocol, Squid obviously isn't used as a proxy, so I'm trying to block QUIC traffic to force the browsers to fall back to HTTP/HTTPS. At first, I found out that QUIC communicates over UDP 443 but, since blocking traffic from going out on that port didn't seem to work, I decided to use TCPView <https://technet.microsoft.com/en-us/sysinternals/bb897437.aspx> (on the client computer) and look at tcpdump to try and figure out what other ports does it use... After looking at TCPView, I was able to see traffic going out on: tcp 80 tcp 443 tcp 5228 udp 80 udp 443 udp 5353 ...so I tried to block traffic going out on those ports: root@appliance:~# cat /etc/iptables/rules.v4 | grep -i forward :FORWARD DROP [41:4010] -A FORWARD -i br0 -p tcp -m tcp --dport 5228 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i br0 -p udp -m udp --dport 5353 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i br0 -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i br0 -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable root@appliance:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT tcp -- anywhere anywhere tcp dpt:5228 reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:mdns reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:http reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:https reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination root@appliance:~# iptables -L -n -v Chain INPUT (policy ACCEPT 6182 packets, 2536K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 1343 packets, 160K bytes) pkts bytes target prot opt in out source destination 18 912 REJECT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5228 reject-with icmp-port-unreachable 100 30714 REJECT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5353 reject-with icmp-port-unreachable 0 0 REJECT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 reject-with icmp-port-unreachable 73 87052 REJECT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 6913 packets, 2386K bytes) pkts bytes target prot opt in out source destination root@appliance:~# The problem is that, although the rules seem to successfully be triggered, the only way I can successfully BLOCK QUIC traffic and make the browser fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP: *iptables -P FORWARD DROP* What I conclude from this is that there MUST be some more FORWARD traffic being originated at Chrome that I have no idea how to catch and filter. So my question is: *how can I completely block QUIC so I can guarantee my traffic will always be redirected to Squid?* Thanks in advance, Luis
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
