Shorewall users - Jun 2009 - Transparent Proxy Problem with Squid3 and Shorewall

Hi all,

 I have a strange problem in trying to install a transparent proxy (in my
internal net not on the shorewall server) according to the instructions
 as outlined in http://www.shorewall.net/Shorewall_Squid_Usage.html#Local

 My Network looks the following:
	
	Internal Net: 10.0.0.0/24     Squid Server listening on port 3128
(ip 10.0.0.152, DNS name server01)
			        |		|
			        +----------
				  |		
	Shorewall  int:    eth0 (ip 10.0.0.156)
		                     :
	Shorewall ext:	 eth1 (ip 10.0.1.2)
	                    |
	DMZ Net:       10.0.1.0/24
			        |
      Thomson Router to Internet (ip 10.0.1.138)  (TG585 v7 from Telekom
Austria)

The shorewall server is an Linksys NSLU2 Slug (named FireSlug) running on
Debian Lenny with its internal interface eth0 and an USB Network interface
on Port2 as external interface eth1.
The shorewall server runs DNS and DHCP server in secondary and slave mode
respectively. The primary ones are running on the internal network
The Thomson Router is configured in the standard firewall mode, which is a
bit tricky to describe because its a template setup. However I do not think
that this causes my problem because if I run the Thomson Router in
transparent mode the problem persists, so I assume I have to focus on the
shorewall configuration on the FireSlug
Now with the documentation mentioned above, I have full functionality on the
web when just sticking to either http:// or https:// pages (The Browser are
usually configured without proxy otherwise I would not need a transparent
proxy :-) ). 
My problem arises when I get to pages with mixed content (either images from
https:// urls on http:// pages or script based redirection from http:// to
https://). A good example is the page www.xing.com. If I enter
http://www.xing.com the site tries to redirect to https://www.xing.com and
then my browser times out. By just hitting reload with the already
redirected link it works as expected.
When I set the proxy in my browser setting to 10.0.0.152:3128 everything
works (I assume that squid is correctly tunneling the SSL requests).
Therefore I guess it is due to the redirection mechanism on the shorewall
which is just forwarding port 80 to the squid server and forwarding 443
through the firewall directly. Maybe by switching from 80 to 443 this
mechanism somehow breaks?

 I attach my configuration files of shorewall for reference.
 iptables -t nat -L on the squid server gives:
 === Chain PREROUTING (policy ACCEPT)
 target		proc	opt	source		 destination
 REDIRECT	tcp	--	anywhere	!server01	tcp
dpt:http redir ports 3128
====
All other chains are empty on the squid server

The relevant configuration files on the shorewall client read:

 Interfaces:

#ZONE	INTERFACE	BROADCAST	OPTIONS
net     eth1            detect
dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc     eth0            detect          dhcp,tcpflags,nosmurfs,routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 Masq:

#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)
IPSEC	MARK
eth1                    eth0            10.0.1.2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

 Params:

############################################################################
###
SYSLOG_SVR=10.0.0.152
NTP_SVR=10.0.0.152
DNS_SVR=10.0.0.152
DHCP_SVR=10.0.0.152
AMULE_SVR=10.0.0.152
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

 Policy:

#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
loc		net		ACCEPT
loc		$FW		REJECT		info
loc		all		REJECT		info
$FW		net		ACCEPT
$FW		loc		REJECT		info
$FW		all		REJECT		info
net		$FW		DROP		info
net		loc		DROP		info
net		all		DROP		info
all		all		REJECT		info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

 Providers:

#NAME	NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY
OPTIONS		COPY
Squid	1	202	-		eth0		10.0.0.152
loose
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

 Routestopped:

#INTERFACE	HOST(S)                  OPTIONS
eth1		10.0.1.0/24
eth0		10.0.0.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 Rules:

#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE
ORIGINAL	RATE		USER/	MARK
#							PORT	PORT(S)
DEST		LIMIT		GROUP
DNS/ACCEPT	$FW		net
DNS/ACCEPT      loc             $FW
DNS/ACCEPT	$FW		loc:$DNS_SVR
SSH/ACCEPT	loc		$FW
Ping/ACCEPT	loc		$FW
Ping/DROP	net		$FW
ACCEPT		$FW		loc		icmp
ACCEPT		$FW		net		icmp
Syslog/ACCEPT	$FW		loc:$SYSLOG_SVR
NTP/ACCEPT	$FW		loc:$NTP_SVR
HTTP/ACCEPT	$FW		net
HTTP/ACCEPT	loc		$FW
HTTPS/ACCEPT	$FW		net
HTTPS/ACCEPT	loc		$FW
Webmin/ACCEPT	loc		$FW
DHCP/ACCEPT	loc:$DHCP_SVR	$FW
DHCP/ACCEPT	$FW		loc:$DHCP_SVR
aMule/DNAT	net		loc:$AMULE_SVR	
aMule/ACCEPT	net		$FW
ACCEPT		loc		$FW		tcp	5351
ACCEPT		loc		$FW		udp	5351

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 Tcrules:

#MARK	SOURCE			DEST		PROTO	DEST	SOURCE	USER
TEST	LENGTH	TOS
#						PORT(S)	PORT(S)
202:P	eth0:!10.0.0.152	0.0.0.0/0	tcp	80
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 zone:

#					OPTIONS			OPTIONS
fw	firewall
net	ipv4
loc	ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


 And finally shorewall.conf:

STARTUP_ENABLED=Yes
VERBOSITY=1
SHOREWALL_COMPILERLOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATELOGBURSTLOGALLNEWBLACKLIST_LOGLEVELMACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
IPTABLESPATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
MODULESDIRCONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILEIPSECFILE=zones
LOCKFILEDROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"
RSH_COMMAND=''ssh ${root}@${system} ${command}''
RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}''
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIXDISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTLSAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=0
EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOADBLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

Now, I know that I could set up a wpad mechanism and make automatic
configuration of my browsers. However I like the concept of transparent
proxying and I''m interested where this problem in switching between
port 80
on squid and port 443 forwarding through the firewall comes from.

Kind regards,

Rainer Minixhofer


------------------------------------------------------------------------------

Rainer Minixhofer wrote:
> The shorewall server is an Linksys NSLU2 Slug (named FireSlug) running on
> Debian Lenny with its internal interface eth0 and an USB Network interface
> on Port2 as external interface eth1.
> The shorewall server runs DNS and DHCP server in secondary and slave mode
> respectively. The primary ones are running on the internal network
> The Thomson Router is configured in the standard firewall mode, which is a
> bit tricky to describe because its a template setup. However I do not think
> that this causes my problem because if I run the Thomson Router in
> transparent mode the problem persists, so I assume I have to focus on the
> shorewall configuration on the FireSlug
The Shorewall box, in this case, is simply routing HTTP requests from
your local net to the proxy and is masquerading all traffic from the
local network to the Internet.
> Now with the documentation mentioned above, I have full functionality on
the
> web when just sticking to either http:// or https:// pages (The Browser are
> usually configured without proxy otherwise I would not need a transparent
> proxy :-) ).
Then the Shorewall configuration is correct.
> My problem arises when I get to pages with mixed content (either images
from
> https:// urls on http:// pages or script based redirection from http:// to
> https://). A good example is the page www.xing.com. If I enter
> http://www.xing.com the site tries to redirect to https://www.xing.com and
> then my browser times out. By just hitting reload with the already
> redirected link it works as expected.
> When I set the proxy in my browser setting to 10.0.0.152:3128 everything
> works (I assume that squid is correctly tunneling the SSL requests).
> Therefore I guess it is due to the redirection mechanism on the shorewall
> which is just forwarding port 80 to the squid server and forwarding 443
> through the firewall directly. Maybe by switching from 80 to 443 this
> mechanism somehow breaks?
I can think of nothing in a Shorewall configuration that could correct
this behavior. Again, all Shorewall has done is to set up routing such
that TCP connections to port 80 get redirected to the Squid box. HTTPS
requests on port 443 are passed directly to the Internet after having
been masqueraded. Both of those, independently, are obviously working.

Sorry that I can''t be more helpful.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------