Joffrey FLEURICE
2006-Oct-12 17:27 UTC
Tc rules Help with multiISP + squid & squidguard...
Network config :
Eth0 80.xxx.xxx.160/29 SDSL ( 4 ip + route
80.XXX.XXX.161 + eth0 = ( 80.xxx.xxx.161 )
Eth1 192.168.1.0/24 LAN
(192.168.2.0/24) LAN2 with route add
192.168.1.253
192.168.2.0 192.168.1.253 255.255.255.0 UG 0 0 0
eth1
Eth2 192.168.100.0/24 DMZ
ppp0 $PPP0_IP ADSL (on eth3 bridge)
tun0 192.168.20.0/24 OPenPVN
route :
local312.lnsta1 * 255.255.255.255 UH 0 0 0
ppp0
192.168.20.2 * 255.255.255.255 UH 0 0 0
tun0
80.xxx.xxx.160 * 255.255.255.248 U 0 0 0
eth0
192.168.100.0 * 255.255.255.0 U 0 0 0
eth2
192.168.20.0 192.168.20.2 255.255.255.0 UG 0 0 0
tun0
192.168.2.0 192.168.1.253 255.255.255.0 UG 0 0 0
eth1
192.168.1.0 * 255.255.255.0 U 0 0 0
eth1
192.168.46.0 * 255.255.255.0 U 0 0 0
eth3
default 80-xxx-xxx-161. 0.0.0.0 UG 0 0 0
eth0
ip route show :
193.xxx.xxx.3 dev ppp0 proto kernel scope link src 90.1.80.88
192.168.20.2 dev tun0 proto kernel scope link src 192.168.20.1
80.xxx.xxx.160/29 dev eth0 proto kernel scope link src 80.124.188.162
192.168.100.0/24 dev eth2 proto kernel scope link src 192.168.100.254
192.168.20.0/24 via 192.168.20.2 dev tun0
192.168.2.0/24 via 192.168.1.253 dev eth1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
192.168.46.0/24 dev eth3 proto kernel scope link src 192.168.46.2
default
nexthop via 80.xxx.xxx.161 dev eth0 weight 1
nexthop via 193.xxx.xxx.3 dev ppp0 weight 1
************************************************************************
****
Rt_table:
255 local
254 main
253 default
0 unspec
#
# local
#
200 sdsl
201 adsl
************************************************************************
****Interfaces
DMZ eth2 detect dhcp
Local eth1 detect dhcp,routeback
Net eth0 detect
Net ppp0 - dhcp
Maint tun0 detect
Lo lo
************************************************************************
****
Zone
Local ipv4
DMZ ipv4
Net ipv4
Maint ipv4
Lo ipv4
************************************************************************
****
Policy
Local $FW ACCEPT
Lo $FW ACCEPT
Local Net ACCEPT info
DMZ $FW ACCEPT
Maint $FW ACCEPT
Maint DMZ ACCEPT
Maint Local ACCEPT
$FW Net ACCEPT
$FW lo ACCEPT
$FW Maint ACCEPT
$FW DMZ ACCEPT
Local DMZ ACCEPT
Net Net DROP info
Net all DROP info
All all REJECT info
************************************************************************
****
Rules :
# Rsync LAN & DMZ
Rsync/ACCEPT Local Net
Rsync/ACCEPT DMZ Net
# DNS LAN & DMZ & FW
DNS/ACCEPT Local Net
DNS/ACCEPT DMZ Net
DNS/ACCEPT $FW Net
DNS/ACCEPT DMZ $FW
DNS/ACCEPT Local $FW
# Ping LAN & DMZ
Ping/ACCEPT Local Net
Ping/ACCEPT DMZ Net
# Trace route LAN & DMZ & FW
Trcrt/ACCEPT DMZ Net
Trcrt/ACCEPT Local Net
Trcrt/ACCEPT $FW Net
# Rules DMZ
ACCEPT Net DMZ:192.168.100.1,192.168.100.2 tcp
20,21,80,81,8080,443,21,554,5902,5901
# DNAT : FTP DMZ
DNAT Net DMZ:192.168.100.1 tcp 20,21
-
# RULES FW to DMZ Servers
ACCEPT $FW DMZ:192.168.100.1 tcp
25,22,389
ACCEPT $FW DMZ:192.168.100.2 tcp
25,22,389
# RULES FW to LOCAL servers
ACCEPT $FW Local:192.168.1.1 tcp 22
ACCEPT $FW Local:192.168.1.2 tcp 3389
ACCEPT $FW Local:192.168.1.49 tcp 137,139
# Squid + SquidGuard LAN
REDIRECT Local 3128 tcp 80 -
!192.168.1.254,192.168.110.0/24
# Squid + SquidGuard DMZ
REDIRECT DMZ 3128 tcp 80 -
!192.168.1.254,192.168.110.0/24
# Proxy POP LAN
REDIRECT Local 8110 tcp 110 -
!192.168.1.254,192.168.110.0/24
# RULE openvpn
ACCEPT Net $FW udp 1194
# RULES INTERNET to FW : ftp,ssh,smtp,ntop,webmin,vnx
ACCEPT Net $FW tcp 20,21,22,25,3000,10000,5902,5901
# RULES internet acces for LAN & DMZ
ACCEPT DMZ Net tcp 20,21,80,443
ACCEPT Local Net tcp
8,20,21,22,25,80,110,443,3389,5900,5901,8081
# appli interne pgsql
ACCEPT Local Net:213.186.62.40,195.115.158.13 tcp
5432
ACCEPT Local Net:213.186.62.40,195.115.158.12 udp
5432
************************************************************************
****nat
80.xxx.xxx.163 eth0 192.168.100.1 yes yes
80.xxx.xxx.164 eth0 192.168.100.2 yes yes
************************************************************************
****
Tunnels
#ipsec Net
openvpn:1194 Net
************************************************************************
****
Masq
ppp0 eth2 $PPP0_IP
ppp0 eth1 $PPP0_IP
eth0 eth2 80.xxx.xxx.161
eth0 eth1 80.xxx.xxx.161
eth0 $PPP0_IP 80.xxx.xxx.161
ppp0 80.xxx.xxx.161 $PPP0_IP
************************************************************************
****
providers :
sdsl 200 200 main eth0 80.xxx.xxx.161 track,balance
eth1,eth2
adsl 201 201 main ppp0 detect track,balance
eth1,eth2
************************************************************************
****
Tcrules :
# SDSL
200 eth2 0.0.0.0/0 all
200 eth2 0.0.0.0/0 tcp 25
200 $FW 0.0.0.0/0 tcp 25
# ADSL
201 $FW 0.0.0.0/0 tcp 3128,80,443
201 eth1 0.0.0.0/0 tcp 80,443,3128
Sorry for the dump file but the dump file is larger that mailing list
accept ( 106ko )
Postfix squid squidguard works on FW
All works, but no surf with squid, if I disable REDIRECT and squid all
work perfectly.
Please HELP !!! (leloo dallas multipass :) )
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Joffrey FLEURICE wrote:> > > All works, but no surf with squid, if I disable REDIRECT and squid all > work perfectly.I don''t see any fw->net ACCEPT rule for TCP port 80. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Joffrey FLEURICE wrote:> > DMZ eth2 detect dhcp > Local eth1 detect dhcp,routeback > Net eth0 detect > Net ppp0 - dhcp > Maint tun0 detect > Lo lo >Defining a zone for the ''lo'' device is silly and unnecessary; it shouldn''t hurt anything but it won''t do anything positive either. If you actually want to control loopback traffic for some reason, simply create fw->fw rules and policies. The only case of this that I can think of is where you want to redirect locally-generated HTTP traffic from users other than ''squid'' to a local Squid server. REDIRECT fw 3128 tcp 80 - - - !squid -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642