Hello to all. This is my first message to the list. Sorry if i forget some details. I''m using linux with LTSP and i want to redirect the web traffic generatet by eth1 to eth0 including the firewall traffic, because my LTSP configurantion when the clients request an http page in my tcdump log they uses the eth1 interface. Here my configuration: eth0: 192.168.0.254 eth1: 200.xxx.xxx.xxx I''m running squid on 127.0.0.1:3128 and dansguardian at 192.168.0.254:8080 I need to redirect all http traffic *including* the traffic generated by eth1 because my LTSP clients http request uses eth1 and i need to filter web traffic. This is possible? How? Thanks Wilson Galafassi ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 21 March 2006 16:20, Wilson Galafassi wrote:> I''m using linux with LTSP and i want to redirect the web traffic > generatet by eth1 to eth0 including the firewall traffic, because my > LTSP configurantion when the clients request an http page in my tcdump > log they uses the eth1 interface. > > Here my configuration: > > eth0: 192.168.0.254 > eth1: 200.xxx.xxx.xxx > I''m running squid on 127.0.0.1:3128 and dansguardian at 192.168.0.254:8080 > > I need to redirect all http traffic *including* the traffic generated > by eth1 because my LTSP clients http request uses eth1 and i need to > filter web traffic. > > This is possible? How?Does anyone understand the question? I afraid I don''t. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
i need to include in the redirect rule the traffic generated by the eth1 (the interface connected to internet). thanks wilson On 3/21/06, Tom Eastep <teastep@shorewall.net> wrote:> On Tuesday 21 March 2006 16:20, Wilson Galafassi wrote: > > > I''m using linux with LTSP and i want to redirect the web traffic > > generatet by eth1 to eth0 including the firewall traffic, because my > > LTSP configurantion when the clients request an http page in my tcdump > > log they uses the eth1 interface. > > > > Here my configuration: > > > > eth0: 192.168.0.254 > > eth1: 200.xxx.xxx.xxx > > I''m running squid on 127.0.0.1:3128 and dansguardian at 192.168.0.254:8080 > > > > I need to redirect all http traffic *including* the traffic generated > > by eth1 because my LTSP clients http request uses eth1 and i need to > > filter web traffic. > > > > This is possible? How? > > Does anyone understand the question? I afraid I don''t. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep wrote:> On Tuesday 21 March 2006 16:20, Wilson Galafassi wrote: > > >>I''m using linux with LTSP and i want to redirect the web traffic >>generatet by eth1 to eth0 including the firewall traffic, because my >>LTSP configurantion when the clients request an http page in my tcdump >>log they uses the eth1 interface. >> >>Here my configuration: >> >>eth0: 192.168.0.254 >>eth1: 200.xxx.xxx.xxx >>I''m running squid on 127.0.0.1:3128 and dansguardian at 192.168.0.254:8080 >> >>I need to redirect all http traffic *including* the traffic generated >>by eth1 because my LTSP clients http request uses eth1 and i need to >>filter web traffic. >> >>This is possible? How? > > > Does anyone understand the question? I afraid I don''t. > > -TomI''m not sure I understand either, but I here goes. I think that his clients are on the 192.168.0.0 subnet and he wants to make sure that they do not bypass the filters. Since in LTSP everything is running on the server, processes on the server probably see eth1 as the default route and use that, yet he is running hos filters bound to lo and to eth0. I think that this problem is best solved by properly configuring the proxy and the filter rather than trying to work around it with shorewall. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto
im trying with this rule: REDIRECT loc 8080 tcp www - !200.201.174.204,200.201.173.68,200.201.174.0/24,200.201.166.0/24 loc: eth0 net: eth1 but i need to include the traffic generated by eth1 too. thanks wilson On 3/21/06, Wilson Galafassi <wilson.galafassi@gmail.com> wrote:> i need to include in the redirect rule the traffic generated by the > eth1 (the interface connected to internet). > > thanks > wilson > > On 3/21/06, Tom Eastep <teastep@shorewall.net> wrote: > > On Tuesday 21 March 2006 16:20, Wilson Galafassi wrote: > > > > > I''m using linux with LTSP and i want to redirect the web traffic > > > generatet by eth1 to eth0 including the firewall traffic, because my > > > LTSP configurantion when the clients request an http page in my tcdump > > > log they uses the eth1 interface. > > > > > > Here my configuration: > > > > > > eth0: 192.168.0.254 > > > eth1: 200.xxx.xxx.xxx > > > I''m running squid on 127.0.0.1:3128 and dansguardian at 192.168.0.254:8080 > > > > > > I need to redirect all http traffic *including* the traffic generated > > > by eth1 because my LTSP clients http request uses eth1 and i need to > > > filter web traffic. > > > > > > This is possible? How? > > > > Does anyone understand the question? I afraid I don''t. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
----- Original Message ----- From: "Wilson Galafassi" <wilson.galafassi@gmail.com> To: <shorewall-users@lists.sourceforge.net> Sent: Tuesday, March 21, 2006 18:53 Subject: Re: [Shorewall-users] Problem with LTSP im trying with this rule: REDIRECT loc 8080 tcp www - !200.201.174.204,200.201.173.68,200.201.174.0/24,200.201.166.0/24 loc: eth0 net: eth1 but i need to include the traffic generated by eth1 too. thanks wilson On 3/21/06, Wilson Galafassi <wilson.galafassi@gmail.com> wrote:> i need to include in the redirect rule the traffic generated by the > eth1 (the interface connected to internet). > > thanks > wilson > > On 3/21/06, Tom Eastep <teastep@shorewall.net> wrote: > > On Tuesday 21 March 2006 16:20, Wilson Galafassi wrote: > > > > > I''m using linux with LTSP and i want to redirect the web traffic > > > generatet by eth1 to eth0 including the firewall traffic, because my > > > LTSP configurantion when the clients request an http page in my tcdump > > > log they uses the eth1 interface. > > > > > > Here my configuration: > > > > > > eth0: 192.168.0.254 > > > eth1: 200.xxx.xxx.xxx > > > I''m running squid on 127.0.0.1:3128 and dansguardian at 192.168.0.254:8080 > > > > > > I need to redirect all http traffic *including* the traffic generated > > > by eth1 because my LTSP clients http request uses eth1 and i need to > > > filter web traffic. > > > > > > This is possible? How? > > > > Does anyone understand the question? I afraid I don''t. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Let me try that with some info this time.... ----- Original Message -----> >im trying with this rule: > >REDIRECT loc 8080 tcp www > - !200.201.174.204,200.201.173.68,200.201.174.0/24,200.201.166.0/24 > >loc: eth0 >net: eth1 > >but i need to include the traffic generated by eth1 too. > >thanks >wilsonThat won''t work for what you want, your tring to grab traffic that is outbound from the firewall, that needs to be done in a output chain. This requires you to use a dnat rule, give this a try: DNAT fw fw:192.168.0.254:8080 tcp 80 - 0.0.0.0/0 I tested this here with this rule, using telnet: DNAT:info fw fw:10.3.0.106:23 tcp 2323 - 0.0.0.0/0 I logged this and got my login prompt: Mar 21 22:21:04 shore kernel: Shorewall:OUTPUT:DNAT:IN= OUT=eth2 SRC=24.78.zzz.yyy DST=207.161.yyy.zzz LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=58493 DF PROTO=TCP SPT=38984 DPT=2323 WINDOW=5840 RES=0x00 SYN URGP=0 Your mileage may vary... Hope this works for you... Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>im trying with this rule: >> >>REDIRECT loc 8080 tcp www >> - !200.201.174.204,200.201.173.68,200.201.174.0/24,200.201.166.0/24<snip>>That won''t work for what you want, your tring to grab traffic that is outbound from the firewall, >that needs to be done in a output chain. This requires you to use a dnat rule, give this a try: > >DNAT fw fw:192.168.0.254:8080 tcp 80 - 0.0.0.0/0 >Just had a thought, you''d need to know which traffic is from squid, so that you don''t get into a loop.... Above this rule you would need to have a rule that uses the -m owner / gid-owner routines in netfilter, this is done in shorewall with the USER/GROUP column in the rules file. See the rules file for more info.>I tested this here with this rule, using telnet: >DNAT:info fw fw:10.3.0.106:23 tcp 2323 - 0.0.0.0/0 > >I logged this and got my login prompt: >Mar 21 22:21:04 shore kernel: Shorewall:OUTPUT:DNAT:IN= OUT=eth2 SRC=24.78.zzz.yyy >DST=207.161.yyy.zzz LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=58493 DF PROTO=TCP >SPT=38984 DPT=2323 WINDOW=5840 RES=0x00 SYN URGP=0 > >Your mileage may vary... Hope this works for you...good luck Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 21 March 2006 22:44, Jerry Vonau wrote:> >>im trying with this rule: > >> > >>REDIRECT loc 8080 tcp www > >> - !200.201.174.204,200.201.173.68,200.201.174.0/24,200.201.166.0/24 > > <snip> > > >That won''t work for what you want, your tring to grab traffic that is > > outbound from the firewall, that needs to be done in a output chain. This > > requires you to use a dnat rule, give this a try: > > > >DNAT fw fw:192.168.0.254:8080 tcp 80 - 0.0.0.0/0 > > Just had a thought, you''d need to know which traffic is from squid, so that > you don''t get into a loop.... Above this rule you would need to have a rule > that uses the -m owner / gid-owner routines in netfilter, this is done in > shorewall with the USER/GROUP column in the rules file. See the rules file > for more info.Or he could put "!squid" in the USER/GROUP column of his DNAT rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 22 March 2006 13:03, Tom Eastep wrote:> On Tuesday 21 March 2006 22:44, Jerry Vonau wrote: > > >>im trying with this rule: > > >> > > >>REDIRECT loc 8080 tcp www > > >> - !200.201.174.204,200.201.173.68,200.201.174.0/24,200.201.166.0/24 > > > > <snip> > > > > >That won''t work for what you want, your tring to grab traffic that is > > > outbound from the firewall, that needs to be done in a output chain. > > > This requires you to use a dnat rule, give this a try: > > > > > >DNAT fw fw:192.168.0.254:8080 tcp 80 - > > > 0.0.0.0/0 > > > > Just had a thought, you''d need to know which traffic is from squid, so > > that you don''t get into a loop.... Above this rule you would need to have > > a rule that uses the -m owner / gid-owner routines in netfilter, this is > > done in shorewall with the USER/GROUP column in the rules file. See the > > rules file for more info. > > Or he could put "!squid" in the USER/GROUP column of his DNAT rule. >Assuming of course that Squid runs under the ''squid'' user id. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
----- Original Message ----- <snip>>Or he could put "!squid" in the USER/GROUP column of his DNAT rule.That works too, and cleaner to boot. ;-) Thanks Tom. Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642