Hi I have a small problem witch configure transparent proxy for my networks. When I configure it witch rule : REDIRECT loc:!$not_redir 8080 tcp www - !$my_network it works fine, network $not_redir doesn''t go through proxy. But when I try configure more then 1 network to not go through proxy, there is a problem. A all networks ( $not_redir1 and $not_redir2 too ) go through proxy. I tryed configure it like this : REDIRECT loc:!$not_redir1 8080 tcp www - !$my_network REDIRECT loc:!$not_redir2 8080 tcp www - !$my_network or : in Params not_redir_all=net1,net2 in Rules REDIRECT loc:!$not_redir_all 8080 tcp www - !$my_network I would like to prevent 2 or 3 networks from redirecting to proxy, but i can''t :( Maby someone solved this problem somehow ? Thanks August
On Friday 06 February 2004 06:22 am, August wrote:> Hi > I have a small problem witch configure transparent proxy for my > networks. When I configure it witch rule : > > REDIRECT loc:!$not_redir 8080 tcp www - !$my_network > > it works fine, network $not_redir doesn''t go through proxy. But when I > try configure more then 1 network to not go through proxy, there is a > problem. A all networks ( $not_redir1 and $not_redir2 too ) go through > proxy. > I tryed configure it like this : > > REDIRECT loc:!$not_redir1 8080 tcp www - !$my_network > REDIRECT loc:!$not_redir2 8080 tcp www - !$my_network > > or : > in Params > not_redir_all=net1,net2 > > in Rules > REDIRECT loc:!$not_redir_all 8080 tcp www - !$my_network > > I would like to prevent 2 or 3 networks from redirecting to proxy, but i > can''t :( Maby someone solved this problem somehow ?Which version of Shorewall are you running? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 06 February 2004 07:49 am, Tom Eastep wrote:> On Friday 06 February 2004 06:22 am, August wrote: > > Hi > > I have a small problem witch configure transparent proxy for my > > networks. When I configure it witch rule : > > > > REDIRECT loc:!$not_redir 8080 tcp www - !$my_network > > > > it works fine, network $not_redir doesn''t go through proxy. But when I > > try configure more then 1 network to not go through proxy, there is a > > problem. A all networks ( $not_redir1 and $not_redir2 too ) go through > > proxy. > > I tryed configure it like this : > > > > REDIRECT loc:!$not_redir1 8080 tcp www - !$my_network > > REDIRECT loc:!$not_redir2 8080 tcp www - !$my_network > > > > or : > > in Params > > not_redir_all=net1,net2 > > > > in Rules > > REDIRECT loc:!$not_redir_all 8080 tcp www - !$my_network > > > > I would like to prevent 2 or 3 networks from redirecting to proxy, but i > > can''t :( Maby someone solved this problem somehow ? > > Which version of Shorewall are you running?Sorry -- that question was irrelevant; Shorewall can''t currently be configured to do what you want. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 06 February 2004 07:54 am, Tom Eastep wrote:> On Friday 06 February 2004 07:49 am, Tom Eastep wrote: > > On Friday 06 February 2004 06:22 am, August wrote: > > > Hi > > > I have a small problem witch configure transparent proxy for my > > > networks. When I configure it witch rule : > > > > > > REDIRECT loc:!$not_redir 8080 tcp www - !$my_network > > > > > > it works fine, network $not_redir doesn''t go through proxy. But when I > > > try configure more then 1 network to not go through proxy, there is a > > > problem. A all networks ( $not_redir1 and $not_redir2 too ) go through > > > proxy. > > > I tryed configure it like this : > > > > > > REDIRECT loc:!$not_redir1 8080 tcp www - !$my_network > > > REDIRECT loc:!$not_redir2 8080 tcp www - !$my_network > > > > > > or : > > > in Params > > > not_redir_all=net1,net2 > > > > > > in Rules > > > REDIRECT loc:!$not_redir_all 8080 tcp www - !$my_network > > > > > > I would like to prevent 2 or 3 networks from redirecting to proxy, but > > > i can''t :( Maby someone solved this problem somehow ? > > > > Which version of Shorewall are you running? > > Sorry -- that question was irrelevant; Shorewall can''t currently be > configured to do what you want.While I was hacking away on 2.0, I recalled that there is a way to do what you want. You can define a zone (call it nored) that consists of the networks that you don''t want to redirect. Then make your rule: REDIRECT loc!nored 8080 tcp www - !$my_network A couple of tips: a) Define nored before loc in /etc/shorewall/zones b) Use the /etc/shorewall/hosts file to define nored c) In /etc/shorewall/policy, have: loc nored NONE nored loc NONE -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Użytkownik Tom Eastep napisał:>On Friday 06 February 2004 07:54 am, Tom Eastep wrote: > > >>On Friday 06 February 2004 07:49 am, Tom Eastep wrote: >> >> >>>On Friday 06 February 2004 06:22 am, August wrote: >>> >>> >>>>Hi >>>>I have a small problem witch configure transparent proxy for my >>>>networks. When I configure it witch rule : >>>> >>>>REDIRECT loc:!$not_redir 8080 tcp www - !$my_network >>>> >>>>it works fine, network $not_redir doesn''t go through proxy. But when I >>>>try configure more then 1 network to not go through proxy, there is a >>>>problem. A all networks ( $not_redir1 and $not_redir2 too ) go through >>>>proxy. >>>>I tryed configure it like this : >>>> >>>>REDIRECT loc:!$not_redir1 8080 tcp www - !$my_network >>>>REDIRECT loc:!$not_redir2 8080 tcp www - !$my_network >>>> >>>>or : >>>> in Params >>>>not_redir_all=net1,net2 >>>> >>>> in Rules >>>>REDIRECT loc:!$not_redir_all 8080 tcp www - !$my_network >>>> >>>>I would like to prevent 2 or 3 networks from redirecting to proxy, but >>>>i can''t :( Maby someone solved this problem somehow ? >>>> >>>> >>>Which version of Shorewall are you running? >>> >>> >>Sorry -- that question was irrelevant; Shorewall can''t currently be >>configured to do what you want. >> >> > >While I was hacking away on 2.0, I recalled that there is a way to do what you >want. You can define a zone (call it nored) that consists of the networks >that you don''t want to redirect. Then make your rule: > >REDIRECT loc!nored 8080 tcp www - !$my_network > >A couple of tips: > >a) Define nored before loc in /etc/shorewall/zones >b) Use the /etc/shorewall/hosts file to define nored >c) In /etc/shorewall/policy, have: > > loc nored NONE > nored loc NONE > >-Tom > >Thanks for your reply, but I don''t have good news about the problem. The configuratuion you suggested works as other I try - the all subnets have been redirected to transparent proxy.
On Monday 09 February 2004 03:46 am, August wrote:> > Thanks for your reply, but I don''t have good news about the problem. The > configuratuion you suggested works as other I try - the all subnets have > been redirected to transparent proxy. >Please forward the output of "shorewall show nat" with Shorewall configured as I suggest. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Użytkownik Tom Eastep napisał:>Please forward the output of "shorewall show nat" with Shorewall configured as >I suggest. > >-Tom > >It looks like should work, but doesn''t. I will be a kind of long listing. Here we go : vektra shorewall # shorewall show nat Shorewall-1.4.10 NAT at vektra.xx.pl - Tue Feb 10 09:34:01 CET 2004 Counters reset Tue Feb 10 09:33:49 CET 2004 Chain PREROUTING (policy ACCEPT 785K packets, 47M bytes) pkts bytes target prot opt in out source destination 3 170 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 382 19017 loc_dnat all -- eth0 * 192.168.0.0/24 0.0.0.0/0 24 1666 loc_dnat all -- eth0 * 10.0.0.0/8 0.0.0.0/0 3 170 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 413K packets, 28M bytes) pkts bytes target prot opt in out source destination 62 3731 eth1_out all -- * eth1 0.0.0.0/0 0.0.0.0/0 62 3731 eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 386K packets, 26M bytes) pkts bytes target prot opt in out source destination Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 217.98.xx.6 to:10.5.0.245 0 0 DNAT all -- * * 0.0.0.0/0 217.98.xx.7 to:10.5.0.246 Chain eth1_masq (1 references) pkts bytes target prot opt in out source destination 14 898 masq1 all -- * * 10.0.0.0/8 0.0.0.0/0 10 526 SNAT all -- * * 192.168.0.0/24 0.0.0.0/0 to:217.98.xx.2 Chain eth1_out (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 10.5.0.245 0.0.0.0/0 to:217.98.xx.6 0 0 SNAT all -- * * 10.5.0.246 0.0.0.0/0 to:217.98.xx.7 Chain loc_dnat (2 references) pkts bytes target prot opt in out source destination 68 3264 nonat1 tcp -- !nored * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain masq1 (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 10.5.0.245 0.0.0.0/0 0 0 RETURN all -- * * 10.5.0.246 0.0.0.0/0 14 898 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:217.98.xx.3 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5800,5900 to:10.5.0.148 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 6050,6150 to:10.0.10.50 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 6052,6152 to:10.0.10.52 Chain nonat1 (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 195.117.xx.0/24 0 0 RETURN all -- * * 0.0.0.0/0 81.219.xx.0/24 0 0 RETURN all -- * * 0.0.0.0/0 217.98.xx.0/24 68 3264 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 redir ports 8080
On Tuesday 10 February 2004 12:39 am, August wrote:> Użytkownik Tom Eastep napisał: > >Please forward the output of "shorewall show nat" with Shorewall > > configured as I suggest. > > > >-Tom > > It looks like should work, but doesn''t. I will be a kind of long > listing. Here we go : >Please send me a tarball of your /etc/shorewall directory. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tuesday 10 February 2004 07:22 am, Tom Eastep wrote:> On Tuesday 10 February 2004 12:39 am, August wrote: > > Użytkownik Tom Eastep napisał: > > >Please forward the output of "shorewall show nat" with Shorewall > > > configured as I suggest. > > > > > >-Tom > > > > It looks like should work, but doesn''t. I will be a kind of long > > listing. Here we go : > > Please send me a tarball of your /etc/shorewall directory. >It looks like your rule is (note the ":"): REDIRECT loc:!nored ... It should be (without the ":"): REDIRECT loc!nored ... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Użytkownik Tom Eastep napisał:> >It looks like your rule is (note the ":"): > >REDIRECT loc:!nored ... > >It should be (without the ":"): > >REDIRECT loc!nored ... > >-Tom > >Wow ! It works now :) at the moment I''m running 2.0 Beta ant it works as well. Thanks for your time and help. Krzysztof Augustyn