Shorewall users - Sep 2005 - Shorewall routing problems

HI,

   I am trying to setup routing with shorewall using the netfilter
patch-o-matic stuff.  I have patched in the route items and recompiled
the kernel and reinstalled the patched versions of iptables but when I
do a shorewall show capabilities it still says ROUTE target not
available.  Anyone know what I am missing?

Here is what shorewall capabilities shows:

Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Not available
   Owner Match: Available
   Ipset Match: Not available
   ROUTE Target: Not available
   Extended MARK Target: Available
   CONNMARK Target: Available
   Connmark Match: Available

Thanks in advance.

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
> HI,
> 
>    I am trying to setup routing with shorewall using the netfilter
> patch-o-matic stuff.  I have patched in the route items and recompiled
> the kernel and reinstalled the patched versions of iptables but when I
> do a shorewall show capabilities it still says ROUTE target not
> available. 
You should be aware that:

a) The ROUTE support in Shorewall 2.4 is wrong.
b) It has been removed in Shorewall 2.5 and will not be available in
Shorewall 3.0 (the next major release).
> Anyone know what I am missing?
You most likely don''t have ROUTE support in your iptables or you
installed a new iptables binary with ROUTE support in /usr/local/sbin
but are still running the old one in /sbin.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Well, that is good to know that it won''t be supported.  If that is the
case than what steps would I go about to accomplish routing.  I have
tried following the route setup and that is not working and I have also
tried the provider setup which is also not working. 
What I want to do is setup shorewall so that anything coming in from a
certain ip address on port 80 gets sent to another ip on the lan for
transparent http proxy(squid).  What would be the easiest way to
accomplish that.

Thanks,

Jon

Tom Eastep wrote:
>Jon Scottorn wrote:
>  
>
>>HI,
>>
>>   I am trying to setup routing with shorewall using the netfilter
>>patch-o-matic stuff.  I have patched in the route items and recompiled
>>the kernel and reinstalled the patched versions of iptables but when I
>>do a shorewall show capabilities it still says ROUTE target not
>>available. 
>>    
>>
>
>You should be aware that:
>
>a) The ROUTE support in Shorewall 2.4 is wrong.
>b) It has been removed in Shorewall 2.5 and will not be available in
>Shorewall 3.0 (the next major release).
>
>  
>
>>Anyone know what I am missing?
>>    
>>
>
>You most likely don''t have ROUTE support in your iptables or you
>installed a new iptables binary with ROUTE support in /usr/local/sbin
>but are still running the old one in /sbin.
>
>-Tom
>  
>
-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
> Well, that is good to know that it won''t be supported.  If that is
the
> case than what steps would I go about to accomplish routing.  I have
> tried following the route setup and that is not working and I have also
> tried the provider setup which is also not working.
> What I want to do is setup shorewall so that anything coming in from a
> certain ip address on port 80 gets sent to another ip on the lan for
> transparent http proxy(squid).  What would be the easiest way to
> accomplish that.
>
See http://www.shorewall.net/Shorewall_Squid_Usage.html

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Jon Scottorn wrote:
> Well, that is good to know that it won''t be supported.  If that is
the
> case than what steps would I go about to accomplish routing.  I have
> tried following the route setup and that is not working and I have also
> tried the provider setup which is also not working.
Sorry -- should have read your post more closely before sending my first
response. The technique using the providers file *does work*; I use it
myself. So you are going to need to troubleshoot that setup and find out
where it''s gone wrong.

One possible cause is that your kernel is detecting responses from the
proxy as martians. You can see if that is the case by setting the
''logmartians'' option on the interface that connects to your
proxy server.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Well, I have gone back to using the providers way following this link
http://www.shorewall.net/Shorewall_Squid_Usage.html#Local
After inputing all of the changes and restart shorewall.  I appears to
load meaning not errors but I can only access the fw from it''s console.
I can not ssh to the firewall nor can I access the internet in any way.
My lan is on eth0
Here is what is in my providers file
Squid   1       202     -               eth0            192.168.30.14  track
Here is what I put for the start file
/sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.168.30.3 -p tcp
--dport 80 -j MARK --set-mark 202
The firewall is 192.168.30.1
I want only http traffice coming from 192.168.30.3 to be redirected to
my squid proxy 192.168.30.14.
Any help would be greatly appreciated.

Thanks,

Jon

Tom Eastep wrote:
>Jon Scottorn wrote:
>  
>
>>Well, that is good to know that it won''t be supported.  If that
is the
>>case than what steps would I go about to accomplish routing.  I have
>>tried following the route setup and that is not working and I have also
>>tried the provider setup which is also not working.
>>    
>>
>
>Sorry -- should have read your post more closely before sending my first
>response. The technique using the providers file *does work*; I use it
>myself. So you are going to need to troubleshoot that setup and find out
>where it''s gone wrong.
>
>One possible cause is that your kernel is detecting responses from the
>proxy as martians. You can see if that is the case by setting the
>''logmartians'' option on the interface that connects to
your proxy server.
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
> Well, I have gone back to using the providers way following this link
> http://www.shorewall.net/Shorewall_Squid_Usage.html#Local
> After inputing all of the changes and restart shorewall.  I appears to
> load meaning not errors but I can only access the fw from it''s
console.
> I can not ssh to the firewall nor can I access the internet in any way.
> My lan is on eth0
> Here is what is in my providers file
> Squid   1       202     -               eth0            192.168.30.14 
track
You must not use the ''track'' option for this type of provider.
> Here is what I put for the start file
> /sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.168.30.3 -p tcp
> --dport 80 -j MARK --set-mark 202
Why are you doing that rather than using the tcrules file?
> The firewall is 192.168.30.1
> I want only http traffice coming from 192.168.30.3 to be redirected to
> my squid proxy 192.168.30.14.
> Any help would be greatly appreciated.
>
Please ditch the ''track'' option and try again. If that
doesn''t work then
please follow the instructions at http://www.shorewall.net/support.htm
and we''ll try to help

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Jon Scottorn wrote:
>
>>Here is what I put for the start file
>>/sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.168.30.3 -p tcp
>>--dport 80 -j MARK --set-mark 202
>
> Why are you doing that rather than using the tcrules file?
>
Duh -- I guess you did it because my instructions tell you to. Sorry...

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Ok, well I removed the track and that still didn''t fix it. 
A little more detail.

With those rules in place, I can not access anything that is on the eth0
card.  I can still access items on my other eth cards and they can
access the fw and even the internet. 
When I do shorewall show shorewall It shows that it is up and running
just fine. 

What would my setup be to do it though tcrules?  Yes I set it up through
the start file because that is what was on the site.

Any other thoughts?

Thanks,

Jon

Tom Eastep wrote:
>Tom Eastep wrote:
>  
>
>>Jon Scottorn wrote:
>>    
>>
>
>  
>
>>>Here is what I put for the start file
>>>/sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.168.30.3 -p
tcp
>>>--dport 80 -j MARK --set-mark 202
>>>      
>>>
>>Why are you doing that rather than using the tcrules file?
>>
>>    
>>
>
>Duh -- I guess you did it because my instructions tell you to. Sorry...
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
> Ok, well I removed the track and that still didn''t fix it.
The ''track'' option has left your conntrack table hopelessly
fouled. You
may need to reboot to clear it (you can try removing modules until you
can remove ip_conntrack but rebooting is usually faster).
>
> With those rules in place, I can not access anything that is on the eth0
> card.  I can still access items on my other eth cards and they can
> access the fw and even the internet.
> When I do shorewall show shorewall It shows that it is up and running
> just fine.
>
> What would my setup be to do it though tcrules?  Yes I set it up through
> the start file because that is what was on the site.
>
> Any other thoughts?
>
I''ll tell you only one more time -- please follow the instructions at
http://www.shorewall.net/support.htm. I don''t have a crystal ball that
I
can magically use to look at your system and tell you what is wrong.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I rebooted the machine and still no access only on eth0

here is what shorewall show status shows:

Shorewall-2.4.3 Chain status at worf - Wed Sep  7 16:39:40 MDT 2005

Counters reset Wed Sep  7 16:36:54 MDT 2005

iptables: No chain/table/match by that name

I think that is what you are looking for from
http://www.shorewall.net/support.htm.

Thanks,

Jon



Tom Eastep wrote:
>Jon Scottorn wrote:
>  
>
>>Ok, well I removed the track and that still didn''t fix it.
>>    
>>
>
>The ''track'' option has left your conntrack table
hopelessly fouled. You
>may need to reboot to clear it (you can try removing modules until you
>can remove ip_conntrack but rebooting is usually faster).
>
>  
>
>>With those rules in place, I can not access anything that is on the eth0
>>card.  I can still access items on my other eth cards and they can
>>access the fw and even the internet.
>>When I do shorewall show shorewall It shows that it is up and running
>>just fine.
>>
>>What would my setup be to do it though tcrules?  Yes I set it up through
>>the start file because that is what was on the site.
>>
>>Any other thoughts?
>>
>>    
>>
>
>I''ll tell you only one more time -- please follow the instructions
at
>http://www.shorewall.net/support.htm. I don''t have a crystal ball
that I
>can magically use to look at your system and tell you what is wrong.
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
> I rebooted the machine and still no access only on eth0
>
> here is what shorewall show status shows:
>
> Shorewall-2.4.3 Chain status at worf - Wed Sep  7 16:39:40 MDT 2005
>
> Counters reset Wed Sep  7 16:36:54 MDT 2005
>
> iptables: No chain/table/match by that name
>
> I think that is what you are looking for from
> http://www.shorewall.net/support.htm.
>
>From www.shorewall.net/support.htm:
-----------------------------------------------------------------------
If Shorewall is starting successfully and your problem is that some set
of connections to/from or through your firewall isn''t working
(examples:
local systems can''t access the internet, you can''t send email
through
the firewall, you can''t surf the web from the firewall, etc.) then
please perform the following four steps:

   1. If Shorewall isn''t started then /sbin/shorewall start. Otherwise
/sbin/shorewall reset.
   2. Try making the connection that is failing.
>>>>>>>>>>>>>>>> L O O K   A T  
T H E   N E X T   L I N E <<<<<<<<<<<
   3. /sbin/shorewall status > /tmp/status.txt

   4. Post the /tmp/status.txt file as an attachment (you may compress
it if you like).
   5. Describe where you are trying to make the connection from (IP
address) and what host (IP address) you are trying to connect to.
   6. Please do not edit the diagnostic information in an attempt to
conceal your IP address, netmask, nameserver addresses, domain name,
etc. These aren''t secrets, and concealing them often misleads us and
may
prevent your problem from being looked at all together.
------------------------------------------------------------------------
-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Shorewall-2.4.3 Chain status at worf - Wed Sep  7 16:39:40 MDT 2005

Counters reset Wed Sep  7 16:36:54 MDT 2005

iptables: No chain/table/match by that name
______________________________________________
That is all that shows up doing a shorewall show status



Tom Eastep wrote:
>Jon Scottorn wrote:
>  
>
>>I rebooted the machine and still no access only on eth0
>>
>>here is what shorewall show status shows:
>>
>>Shorewall-2.4.3 Chain status at worf - Wed Sep  7 16:39:40 MDT 2005
>>
>>Counters reset Wed Sep  7 16:36:54 MDT 2005
>>
>>iptables: No chain/table/match by that name
>>
>>I think that is what you are looking for from
>>http://www.shorewall.net/support.htm.
>>
>>    
>>
>
>>From www.shorewall.net/support.htm:
>-----------------------------------------------------------------------
>If Shorewall is starting successfully and your problem is that some set
>of connections to/from or through your firewall isn''t working
(examples:
>local systems can''t access the internet, you can''t send
email through
>the firewall, you can''t surf the web from the firewall, etc.) then
>please perform the following four steps:
>
>   1. If Shorewall isn''t started then /sbin/shorewall start.
Otherwise
>/sbin/shorewall reset.
>   2. Try making the connection that is failing.
>
>  
>
>>>>>>>>>>>>>>>>>L O O K   A
T   T H E   N E X T   L I N E <<<<<<<<<<<
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>
>   3. /sbin/shorewall status > /tmp/status.txt
>
>   4. Post the /tmp/status.txt file as an attachment (you may compress
>it if you like).
>   5. Describe where you are trying to make the connection from (IP
>address) and what host (IP address) you are trying to connect to.
>   6. Please do not edit the diagnostic information in an attempt to
>conceal your IP address, netmask, nameserver addresses, domain name,
>etc. These aren''t secrets, and concealing them often misleads us
and may
>prevent your problem from being looked at all together.
>------------------------------------------------------------------------
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

----- Original Message ----- 
From: "Jon Scottorn" <jscottorn@possibilityforge.com>
To: <shorewall-users@lists.sourceforge.net>
Sent: Wednesday, September 07, 2005 18:07
Subject: Re: [Shorewall-users] Shorewall routing problems

> Shorewall-2.4.3 Chain status at worf - Wed Sep  7 16:39:40 MDT 2005
> 
> Counters reset Wed Sep  7 16:36:54 MDT 2005
> 
> iptables: No chain/table/match by that name
> ______________________________________________
> That is all that shows up doing a shorewall show status
> 
> 
shorewall is not started.... start it with /sbin/shorewall start
Then test a connection, after that capture the status.
Jerry




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn schrieb:
> Shorewall-2.4.3 Chain status at worf - Wed Sep  7 16:39:40 MDT 2005
>
> Counters reset Wed Sep  7 16:36:54 MDT 2005
>
> iptables: No chain/table/match by that name
> ______________________________________________
> That is all that shows up doing a shorewall show status
Is you kernel supporting iptables? Is the iptables package installed 
correctly?

I''m asking this, because shorewall status should give more than that...

Regards Jan

P.S.: Please stop top posting. Thanks.

-- 
OpenPGP Public-Key Fingerprint:
0E9B 4052 C661 5018 93C3 4E46 651A 7A28 4028 FF7A

Jerry Vonau wrote:
> ----- Original Message ----- 
> From: "Jon Scottorn" <jscottorn@possibilityforge.com>
> To: <shorewall-users@lists.sourceforge.net>
> Sent: Wednesday, September 07, 2005 18:07
> Subject: Re: [Shorewall-users] Shorewall routing problems
> 
> 
>> Shorewall-2.4.3 Chain status at worf - Wed Sep  7 16:39:40 MDT 2005
                   ------------
>>
>> Counters reset Wed Sep  7 16:36:54 MDT 2005
>>
>> iptables: No chain/table/match by that name
>> ______________________________________________
>> That is all that shows up doing a shorewall show status
>>
>>
> 
> shorewall is not started.... start it with /sbin/shorewall start
> Then test a connection, after that capture the status.
The guy persists in typing "shorewall show status" rather than
"shorewall status" -- he can''t even get the command right.

I give up.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>Jerry Vonau wrote:
>  
>
>>----- Original Message ----- 
>>From: "Jon Scottorn" <jscottorn@possibilityforge.com>
>>To: <shorewall-users@lists.sourceforge.net>
>>Sent: Wednesday, September 07, 2005 18:07
>>Subject: Re: [Shorewall-users] Shorewall routing problems
>>
>>
>>    
>>
>>>Shorewall-2.4.3 Chain status at worf - Wed Sep  7 16:39:40 MDT 2005
>>>      
>>>
>                   ------------
>  
>
>>>Counters reset Wed Sep  7 16:36:54 MDT 2005
>>>
>>>iptables: No chain/table/match by that name
>>>______________________________________________
>>>That is all that shows up doing a shorewall show status
>>>
>>>
>>>      
>>>
>>shorewall is not started.... start it with /sbin/shorewall start
>>Then test a connection, after that capture the status.
>>    
>>
>
>The guy persists in typing "shorewall show status" rather than
>"shorewall status" -- he can''t even get the command
right.
>
>I give up.
>
>-Tom
>  
>
I know I got the command wrong, please forgive me.  I am kinda new to
shorewall so I don''t know all the commands yet.  My previous response
had the status.txt attached with it. 
Again, sorry for my mess up.

Thanks,
Jon

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
>>
> I know I got the command wrong, please forgive me.  I am kinda new to
> shorewall so I don''t know all the commands yet.  My previous
response
> had the status.txt attached with it. 
> Again, sorry for my mess up.
There was no attachment (or if there was, the list server stripped it).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>Jon Scottorn wrote:
>
>  
>
>>I know I got the command wrong, please forgive me.  I am kinda new to
>>shorewall so I don''t know all the commands yet.  My previous
response
>>had the status.txt attached with it. 
>>Again, sorry for my mess up.
>>    
>>
>
>There was no attachment (or if there was, the list server stripped it).
>
>-Tom
>  
>
Hrm, weird, it was only 80k but I have compressed it now and it is now 7.3k
Let me try that.

Thanks,

Jon

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004

Jon Scottorn wrote:
>
> Hrm, weird, it was only 80k but I have compressed it now and it is now 7.3k
> Let me try that.
> 
Please:

	/sbin/shorewall trace restart 2> /tmp/trace

and send me the /tmp/trace file (send it to me personally).

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Wed, 7 Sep 2005, Jon Scottorn wrote:
> I rebooted the machine and still no access only on eth0
>
> here is what shorewall show status shows:
I think that command should be just shorewall status


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
> Hrm, weird, it was only 80k but I have compressed it now and it is now 7.3k
> Let me try that.
I see one thing wrong -- I need to update the docs to reflect that the
''loose'' option needs to be specified for your Squid provider.
Not sure
if that is causing all of your problems but it is definitely a problem.
Please let me know.

Thanks,
-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>Jon Scottorn wrote:
>
>  
>
>>Hrm, weird, it was only 80k but I have compressed it now and it is now
7.3k
>>Let me try that.
>>    
>>
>
>I see one thing wrong -- I need to update the docs to reflect that the
>''loose'' option needs to be specified for your Squid
provider. Not sure
>if that is causing all of your problems but it is definitely a problem.
>Please let me know.
>
>Thanks,
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
If you would be so kind what would the setup look like to set this up
through the tcrules file rather than the iptables command that is in the
start file?
Earlier you mentioned that it would be better to control it through that
file.

Thanks for the help Tom,

Jon

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
>>
> If you would be so kind what would the setup look like to set this up
> through the tcrules file rather than the iptables command that is in the
> start file?
> Earlier you mentioned that it would be better to control it through that
> file.
#MARK           SOURCE          DEST            PROTO   PORT(S)
202:P	        192.168.3.0     0.0.0.0/0       tcp     80

Be sure to set TC_ENABLED=Yes in shorewall.conf.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>Jon Scottorn wrote:
>
>  
>
>>If you would be so kind what would the setup look like to set this up
>>through the tcrules file rather than the iptables command that is in the
>>start file?
>>Earlier you mentioned that it would be better to control it through that
>>file.
>>    
>>
>
>#MARK           SOURCE          DEST            PROTO   PORT(S)
>202:P	        192.168.3.0     0.0.0.0/0       tcp     80
>
>Be sure to set TC_ENABLED=Yes in shorewall.conf.
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
Alright, awesome I got a little further this time.  With that option in
the providers and with tcrules set, I can at least get all other traffic
to pass through except port 80 now. 
I am sniffing the nic on my squid box and no traffic is being sent to it. 
I can ssh and anything else out but when I try to access a website it
timesout.
Should I send you a trace now or shorewall status?

Thanks

Jon

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
> Should I send you a trace now or shorewall status?
shorewall status

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>Jon Scottorn wrote:
>
>  
>
>>Should I send you a trace now or shorewall status?
>>    
>>
>
>shorewall status
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
Here it is
Thanks

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004

Jon Scottorn wrote:
> Here it is
Jon,

I don''t see anything wrong here --

On the firewall:

	tcpdump -ni eth0 host 209.33.206.3

On 209.33.206.3:

	Start a new browser process and try to access a web site.

What does the tcpdump show?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>Jon Scottorn wrote:
>
>  
>
>>Here it is
>>    
>>
>
>Jon,
>
>I don''t see anything wrong here --
>
>On the firewall:
>
>	tcpdump -ni eth0 host 209.33.206.3
>
>On 209.33.206.3:
>
>	Start a new browser process and try to access a web site.
>
>What does the tcpdump show?
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
Here is what showed up.  I had to try it from a different ip, 209.33.206.17

tcpdump: listening on eth0
13:01:23.425209 209.33.206.17.4818 > 66.102.7.147.80: S
2347633713:2347633713(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
13:01:23.443644 209.33.206.17.4818 > 66.102.7.147.80: S
2347633713:2347633713(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
13:01:26.441517 209.33.206.17.4818 > 66.102.7.147.80: S
2347633713:2347633713(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
13:01:26.441551 209.33.206.1 > 209.33.206.17: icmp: redirect
66.102.7.147 to host 209.33.206.14 [tos 0xc0]
13:01:26.441585 209.33.206.17.4818 > 66.102.7.147.80: S
2347633713:2347633713(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
13:01:40.742952 209.33.206.17.138 > 209.33.206.255.138: NBT UDP PACKET(138)
13:01:44.447238 209.33.206.17.4819 > 66.102.7.99.80: S
4155076277:4155076277(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
13:01:44.447328 209.33.206.17.4819 > 66.102.7.99.80: S
4155076277:4155076277(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
13:01:47.463923 209.33.206.17.4819 > 66.102.7.99.80: S
4155076277:4155076277(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
13:01:47.463964 209.33.206.1 > 209.33.206.17: icmp: redirect 66.102.7.99
to host 209.33.206.14 [tos 0xc0]
13:01:47.463998 209.33.206.17.4819 > 66.102.7.99.80: S
4155076277:4155076277(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
13:01:52.460846 arp who-has 209.33.206.17 tell 209.33.206.1
13:01:52.460993 arp reply 209.33.206.17 is-at 0:a0:d1:b9:10:5

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

From a cli what does "cat /proc/sys/net/ipv4/conf/eth0/send_redirects"
return?
if it comes back "1" then try this:
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
and retest please

Jerry


----- Original Message ----- 
From: "Jon Scottorn" <jscottorn@possibilityforge.com>
To: <shorewall-users@lists.sourceforge.net>
Sent: Thursday, September 08, 2005 14:04
Subject: Re: [Shorewall-users] Shorewall routing problems

> Tom Eastep wrote:
> 
> >Jon Scottorn wrote:
> >
> >  
> >
> >>Here it is
> >>    
> >>
> >
> >Jon,
> >
> >I don''t see anything wrong here --
> >
> >On the firewall:
> >
> > tcpdump -ni eth0 host 209.33.206.3
> >
> >On 209.33.206.3:
> >
> > Start a new browser process and try to access a web site.
> >
> >What does the tcpdump show?
> >
> >-Tom
> >--
> >Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> >Shoreline,     \ http://shorewall.net
> >Washington USA  \ teastep@shorewall.net
> >PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> >  
> >
> Here is what showed up.  I had to try it from a different ip, 209.33.206.17
> 
> tcpdump: listening on eth0
> 13:01:23.425209 209.33.206.17.4818 > 66.102.7.147.80: S
> 2347633713:2347633713(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 13:01:23.443644 209.33.206.17.4818 > 66.102.7.147.80: S
> 2347633713:2347633713(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 13:01:26.441517 209.33.206.17.4818 > 66.102.7.147.80: S
> 2347633713:2347633713(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 13:01:26.441551 209.33.206.1 > 209.33.206.17: icmp: redirect
> 66.102.7.147 to host 209.33.206.14 [tos 0xc0]
> 13:01:26.441585 209.33.206.17.4818 > 66.102.7.147.80: S
> 2347633713:2347633713(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 13:01:40.742952 209.33.206.17.138 > 209.33.206.255.138: NBT UDP
PACKET(138)
> 13:01:44.447238 209.33.206.17.4819 > 66.102.7.99.80: S
> 4155076277:4155076277(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 13:01:44.447328 209.33.206.17.4819 > 66.102.7.99.80: S
> 4155076277:4155076277(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 13:01:47.463923 209.33.206.17.4819 > 66.102.7.99.80: S
> 4155076277:4155076277(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 13:01:47.463964 209.33.206.1 > 209.33.206.17: icmp: redirect 66.102.7.99
> to host 209.33.206.14 [tos 0xc0]
> 13:01:47.463998 209.33.206.17.4819 > 66.102.7.99.80: S
> 4155076277:4155076277(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 13:01:52.460846 arp who-has 209.33.206.17 tell 209.33.206.1
> 13:01:52.460993 arp reply 209.33.206.17 is-at 0:a0:d1:b9:10:5
> 
> -- 
> Jon Scottorn
> Systems Administrator
> Possibility Forge
> 435.635.0591 x.1004
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
> Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Tom Eastep wrote:
>Jon Scottorn wrote:
>
>  
>
>>Here it is
>>    
>>
>
>Jon,
>
>I don''t see anything wrong here --
>
>On the firewall:
>
>	tcpdump -ni eth0 host 209.33.206.3
>
>On 209.33.206.3:
>
>	Start a new browser process and try to access a web site.
>
>What does the tcpdump show?
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
Here is a bit more info.

If I do a tcpdump on the firewall as well as the squid server here are
the results.
Firewall:

15:14:32.149140 209.33.206.17.1053 > 66.102.7.104.80: S
4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
15:14:32.151912 209.33.206.17.1053 > 66.102.7.104.80: S
4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
15:14:35.017875 209.33.206.17.1053 > 66.102.7.104.80: S
4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
15:14:35.017915 209.33.206.1 > 209.33.206.17: icmp: redirect
66.102.7.104 to host 209.33.206.14 [tos 0xc0]
15:14:35.017949 209.33.206.17.1053 > 66.102.7.104.80: S
4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
15:14:40.015995 arp who-has 209.33.206.17 tell 209.33.206.1
15:14:40.016127 arp reply 209.33.206.17 is-at 0:a0:d1:b9:10:5
15:14:41.052854 arp who-has 209.33.206.14 tell 209.33.206.17

Here is what is on the proxy server

15:09:09.058963 IP 209.33.206.17.1053 > 66.102.7.104.80: S
4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK>
15:09:11.924575 IP 209.33.206.17.1053 > 66.102.7.104.80: S
4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK>
15:09:17.958543 arp who-has 209.33.206.14 tell 209.33.206.17
15:09:17.958603 arp reply 209.33.206.14 is-at 00:0f:b5:42:b2:29
15:09:17.958687 IP 209.33.206.17.1053 > 66.102.7.104.80: S
4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK>
15:09:29.927069 IP 209.33.206.17.1054 > 66.102.7.147.80: S
2591640921:2591640921(0) win 65535 <mss 1460,nop,nop,sackOK>
15:09:32.943224 IP 209.33.206.17.1054 > 66.102.7.147.80: S
2591640921:2591640921(0) win 65535 <mss 1460,nop,nop,sackOK>
15:09:38.977175 IP 209.33.206.17.1054 > 66.102.7.147.80: S
2591640921:2591640921(0) win 65535 <mss 1460,nop,nop,sackOK>
15:09:50.945745 IP 209.33.206.17.1056 > 66.102.7.99.80: S
2256576143:2256576143(0) win 65535 <mss 1460,nop,nop,sackOK>
15:09:53.961888 IP 209.33.206.17.1056 > 66.102.7.99.80: S
2256576143:2256576143(0) win 65535 <mss 1460,nop,nop,sackOK>

Here is what it looks like when I put in the proxy server in my browser
settings

15:11:02.421652 IP 209.33.206.17.1058 > 209.33.206.14.80: . ack 1 win 65535
15:11:02.479032 IP 209.33.206.17.1058 > 209.33.206.14.80: P 1:512(511)
ack 1 win 65535
15:11:02.479085 IP 209.33.206.14.80 > 209.33.206.17.1058: . ack 512 win 6432
15:11:02.607841 IP 209.33.206.14.80 > 209.33.206.17.1058: . 1:1461(1460)
ack 512 win 6432
15:11:02.608118 IP 209.33.206.14.80 > 209.33.206.17.1058: P
1461:1655(194) ack 512 win 6432
15:11:02.608319 IP 209.33.206.17.1058 > 209.33.206.14.80: . ack 1655 win
65535
15:11:03.008561 IP 209.33.206.17.1058 > 209.33.206.14.80: P 512:999(487)
ack 1655 win 65535
15:11:03.008605 IP 209.33.206.14.80 > 209.33.206.17.1058: . ack 999 win 7504
15:11:03.019317 IP 209.33.206.17.1059 > 209.33.206.14.80: S
3678578750:3678578750(0) win 65535 <mss 1460,nop,nop,sackOK>
15:11:03.019383 IP 209.33.206.14.80 > 209.33.206.17.1059: S
506436991:506436991(0) ack 3678578751 win 5840 <mss 1460,nop,nop,sackOK>
15:11:03.019542 IP 209.33.206.17.1059 > 209.33.206.14.80: . ack 1 win 65535
15:11:03.024509 IP 209.33.206.17.1059 > 209.33.206.14.80: P 1:479(478)
ack 1 win 65535
15:11:03.024568 IP 209.33.206.14.80 > 209.33.206.17.1059: . ack 479 win 6432
.......Rest of output omitted for space.................

Does this help at all?
I mean I can put in the proxy into all of the browsers but it would be
much easier if I can get this redirecting on the FW.

Thanks again,

Jon

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
> Tom Eastep wrote:
>
>>Jon Scottorn wrote:
>>
>>
>>
>>>Here it is
>>>
>>>
>>Jon,
>>
>>I don''t see anything wrong here --
>>
>>On the firewall:
>>
>>	tcpdump -ni eth0 host 209.33.206.3
>>
>>On 209.33.206.3:
>>
>>	Start a new browser process and try to access a web site.
>>
>>What does the tcpdump show?
>>
>>-Tom
>>--
>>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>>Shoreline,     \ http://shorewall.net
>>Washington USA  \ teastep@shorewall.net
>>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>>
>>
> Here is a bit more info.
>
> If I do a tcpdump on the firewall as well as the squid server here are
> the results.
> Firewall:
>
> 15:14:32.149140 209.33.206.17.1053 > 66.102.7.104.80: S
> 4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 15:14:32.151912 209.33.206.17.1053 > 66.102.7.104.80: S
> 4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 15:14:35.017875 209.33.206.17.1053 > 66.102.7.104.80: S
> 4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 15:14:35.017915 209.33.206.1 > 209.33.206.17: icmp: redirect
> 66.102.7.104 to host 209.33.206.14 [tos 0xc0]
> 15:14:35.017949 209.33.206.17.1053 > 66.102.7.104.80: S
> 4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
> 15:14:40.015995 arp who-has 209.33.206.17 tell 209.33.206.1
> 15:14:40.016127 arp reply 209.33.206.17 is-at 0:a0:d1:b9:10:5
> 15:14:41.052854 arp who-has 209.33.206.14 tell 209.33.206.17
>
> Here is what is on the proxy server
>
> 15:09:09.058963 IP 209.33.206.17.1053 > 66.102.7.104.80: S
> 4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK>
> 15:09:11.924575 IP 209.33.206.17.1053 > 66.102.7.104.80: S
> 4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK>
> 15:09:17.958543 arp who-has 209.33.206.14 tell 209.33.206.17
> 15:09:17.958603 arp reply 209.33.206.14 is-at 00:0f:b5:42:b2:29
> 15:09:17.958687 IP 209.33.206.17.1053 > 66.102.7.104.80: S
> 4062177605:4062177605(0) win 65535 <mss 1460,nop,nop,sackOK>
> 15:09:29.927069 IP 209.33.206.17.1054 > 66.102.7.147.80: S
> 2591640921:2591640921(0) win 65535 <mss 1460,nop,nop,sackOK>
> 15:09:32.943224 IP 209.33.206.17.1054 > 66.102.7.147.80: S
> 2591640921:2591640921(0) win 65535 <mss 1460,nop,nop,sackOK>
> 15:09:38.977175 IP 209.33.206.17.1054 > 66.102.7.147.80: S
> 2591640921:2591640921(0) win 65535 <mss 1460,nop,nop,sackOK>
> 15:09:50.945745 IP 209.33.206.17.1056 > 66.102.7.99.80: S
> 2256576143:2256576143(0) win 65535 <mss 1460,nop,nop,sackOK>
> 15:09:53.961888 IP 209.33.206.17.1056 > 66.102.7.99.80: S
> 2256576143:2256576143(0) win 65535 <mss 1460,nop,nop,sackOK>
>
Looks like you haven''t added the appropriate REDIRECT rule on the Proxy
server.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>15:09:50.945745 IP 209.33.206.17.1056 > 66.102.7.99.80: S
>>2256576143:2256576143(0) win 65535 <mss 1460,nop,nop,sackOK>
>>15:09:53.961888 IP 209.33.206.17.1056 > 66.102.7.99.80: S
>>2256576143:2256576143(0) win 65535 <mss 1460,nop,nop,sackOK>
>>
>
> Looks like you haven''t added the appropriate REDIRECT rule on the
Proxy
> server.
And be sure that you have configured Squid for transparent operation.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>Tom Eastep wrote:
>
>  
>
>>>15:09:50.945745 IP 209.33.206.17.1056 > 66.102.7.99.80: S
>>>2256576143:2256576143(0) win 65535 <mss 1460,nop,nop,sackOK>
>>>15:09:53.961888 IP 209.33.206.17.1056 > 66.102.7.99.80: S
>>>2256576143:2256576143(0) win 65535 <mss 1460,nop,nop,sackOK>
>>>
>>>      
>>>
>>Looks like you haven''t added the appropriate REDIRECT rule on
the Proxy
>>server.
>>    
>>
>
>And be sure that you have configured Squid for transparent operation.
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
hrm, i have squid set for transparent proxy but not sure about what I
should have for a redirect within squid?  I am looking now.

Thanks,

Jon

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
>>
> hrm, i have squid set for transparent proxy but not sure about what I
> should have for a redirect within squid?  I am looking now.
It is described in the Shorewall Squid documentation -- you need a
REDIRECT iptables rule on whichever system is running the proxy.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>Jon Scottorn wrote:
>
>  
>
>>hrm, i have squid set for transparent proxy but not sure about what I
>>should have for a redirect within squid?  I am looking now.
>>    
>>
>
>It is described in the Shorewall Squid documentation -- you need a
>REDIRECT iptables rule on whichever system is running the proxy.
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
What if I have squid listening on port 80 though, shouldn''t that work
so
that I don''t need the redirect on the proxy?

Jon

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
>>
> What if I have squid listening on port 80 though, shouldn''t that
work so
> that I don''t need the redirect on the proxy?
>
Jon,

The Shorewall box is *routing* traffic to the Squid server -- it is not
rewriting the destination address in the IP headers. As a consequence,
you must have a REDIRECT rule in place on the Squid box or it will
simply toss the packet (unless for some strange reason you have ip
forwarding enabled on what I presume is a one-interface system).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>Jon Scottorn wrote:
>
>  
>
>>What if I have squid listening on port 80 though, shouldn''t
that work so
>>that I don''t need the redirect on the proxy?
>>
>>    
>>
>
>Jon,
>
>The Shorewall box is *routing* traffic to the Squid server -- it is not
>rewriting the destination address in the IP headers. As a consequence,
>you must have a REDIRECT rule in place on the Squid box or it will
>simply toss the packet (unless for some strange reason you have ip
>forwarding enabled on what I presume is a one-interface system).
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>  
>
Well, I have been trying to figure this out but to no avail.  The proxy
box does have only one interface.
FYI, I am running this proxy within a virtual server so I have a
question.  Is there a way to redirect the traffic without using the
iptables redirect line.  within the virtual server I do not have access
to the iptables.  Also the ip for the proxy shows up as a secondary
address on the interface, I don''t know if that will cause an issue
either. Anyways, I am probably out of the realm of support being that it
is not shorewall so if you have any suggestions that would be great, if
not thanks so much for the help.

Jon

-- 
Jon Scottorn
Systems Administrator
Possibility Forge
435.635.0591 x.1004



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jon Scottorn wrote:
> so if you have any suggestions that would be great, if
> not thanks so much for the help.
I have nothing more to offer.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key