Hello. I am new to this list but have a quick question. I have used
Seawall/Dachstein and LEAF/Bering/Shorewall for a while but recently
switched to Mandrake. I uninstalled the Mandrake Shorewall rpm and
installed the current shorewall from the shorewall.sf.net site.
I am trying to test using a squid solution on my firewall box and have a
question about the redirect rule. In the shorewall documentation of the
rules file it states "When the firewall has multiple external IP ... That
IP
address (or a comma-separated list of such addresses) is specified in the
ORIGINAL DEST column."
My question is in reference to the comma-separated list of such addresses.
I want to forward all local www requests to a squid transparent proxy on the
firewall port 3128 except my external IP (as in your example) AND my
internal IP of my fw machine. I have a modified weblet type page running on
my firewall - so any request from my local network to my external IP as well
as a local request to the internal IP of my firewall box are not effected by
the rule.
The following rule works as documented:
REDIRECT loc 3128 tcp www - !$ETH0_IP
I want to do something like:
REDIRECT loc 3128 tcp www - !$ETH0_IP,!10.0.0.254
but this gives me the error:
iptables v1.2.7a: host/network `24.175.66.135,!10.0.0.254'' not found
For some reason it only allows one address in the original destination
column.
I''ve tried various combinations of the above rule and have had no luck.
Is
there a problem with the rule? Is there a better approach to the problem?
Am I making sense?
Any help would be greatly appreciated.
Thanks!
Jonathan
******************************************
Please find below my configuration.
Shorewall version 1.4.2
Linux linux01 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686 unknown
unknown GNU/Linux
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:5a:66:aa:6a brd ff:ff:ff:ff:ff:ff
inet 24.175.66.135/20 brd 255.255.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:5a:66:aa:ce brd ff:ff:ff:ff:ff:ff
inet 10.0.0.254/24 brd 10.0.0.255 scope global eth1
10.0.0.0/24 dev eth1 scope link
24.175.64.0/20 dev eth0 proto kernel scope link src 24.175.66.135
127.0.0.0/8 dev lo scope link
default via 24.175.64.1 dev eth0
On Fri, 9 May 2003 10:52:03 -0500, Jonathan Portwood <jportwood@houston.rr.com> wrote:> > I want to do something like: > REDIRECT loc 3128 tcp www - !$ETH0_IP,!10.0.0.254 > but this gives me the error: > iptables v1.2.7a: host/network `24.175.66.135,!10.0.0.254'' not found > For some reason it only allows one address in the original destination > column. > > > I''ve tried various combinations of the above rule and have had no luck. > Is > there a problem with the rule? Is there a better approach to the > problem?This is working as intended. There is no way in Shorewall using ! to exclude more than a single host/network address. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 09 May 2003 08:57:10 -0700, Tom Eastep <teastep@shorewall.net> wrote:> On Fri, 9 May 2003 10:52:03 -0500, Jonathan Portwood > <jportwood@houston.rr.com> wrote: > > >> >> I want to do something like: >> REDIRECT loc 3128 tcp www - !$ETH0_IP,!10.0.0.254 >> but this gives me the error: >> iptables v1.2.7a: host/network `24.175.66.135,!10.0.0.254'' not found >> For some reason it only allows one address in the original destination >> column. >> >> >> I''ve tried various combinations of the above rule and have had no luck. >> Is >> there a problem with the rule? Is there a better approach to the >> problem? > > This is working as intended. There is no way in Shorewall using ! to > exclude more than a single host/network address. >What are the two addresses that you are trying to exclude here? Where are you running Squid? Have you reviewed http://www.shorewall.net/Shorewall_Squid_Usage.html? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 9 May 2003 10:52:03 -0500, Jonathan Portwood <jportwood@houston.rr.com> wrote:> I am trying to test using a squid solution on my firewall box and have a > question about the redirect rule. In the shorewall documentation of the > rules file it states "When the firewall has multiple external IP ... That > IP > address (or a comma-separated list of such addresses) is specified in the > ORIGINAL DEST column."I also notice that the comma-separated list part of this isn''t implemented; I''ll correct the documentation. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom,> > What are the two addresses that you are trying to exclude here? > Where are you running Squid? > Have you reviewed http://www.shorewall.net/Shorewall_Squid_Usage.html? >I have reviewed the squid document. Maybe I am totally off-base here but what I am trying to accomplish is running squid on the firewall machine itself, and have squid handle all www requests from the local network except those requests to my external ip and the internal ip address of the firewall itself. I don''t know if that makes any sense or if what I am endeavoring to accomplish is even viable. Maybe there is another way to accomplish the same thing. My internal ip for my firewall is 10.0.0.254 and my external dynamic ip is something like 24.175.66.135. I want squid to handle all www requests except a request to either 10.0.0.254 ( a modified weblet from Bering) or 24.175.66.135. Thanks Jonathan
On Fri, 9 May 2003 12:18:23 -0500, Jonathan Portwood <jportwood@houston.rr.com> wrote:> > I have reviewed the squid document. Maybe I am totally off-base here but > what I am trying to accomplish is running squid on the firewall machine > itself, and have squid handle all www requests from the local network > except > those requests to my external ip and the internal ip address of the > firewall > itself. I don''t know if that makes any sense or if what I am endeavoring > to > accomplish is even viable. Maybe there is another way to accomplish the > same > thing. > > My internal ip for my firewall is 10.0.0.254 and my external dynamic ip > is > something like 24.175.66.135. I want squid to handle all www requests > except a request to either 10.0.0.254 ( a modified weblet from Bering) or > 24.175.66.135. >a) Do you also run a web server on your firewall (binding to the external address)? b) If not, do you require remote access to the weblet? c) If not, can you have the weblet bind only to the internal IP? d) If you run both the weblet and a web server, can you run the weblet on another port? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Jonathan Portwood" <jportwood@houston.rr.com> Cc: <shorewall-users@lists.shorewall.net> Sent: Friday, May 09, 2003 12:29 PM Subject: Re: [Shorewall-users] Redirect rule question> a) Do you also run a web server on your firewall (binding to the external > address)?Yes, actually that is what I use to serve the weblet pages. I shouldn''t have called it the weblet because the sh-httpd or whatever is used to serve the weblet pages isn''t used - I just took the weblet cgi-scripts and stuff and modified them to work with my specific Mandrake and Apache configuration. Apache serves both the internal and external address> b) If not, do you require remote access to the weblet?No, but I use apache''s configuration to enable access to the weblet only from my internal subnet.> c) If not, can you have the weblet bind only to the internal IP?I do serve some other pages that require binding to the external IP. What I was really wanting was for squid to ignore two www requests. One to my internal IP and the other to my external IP - even though they serve the same pages and are the same web-server. I was just wondering if it could be done. Just a curiosity mainly - just wondering how I could really come up with a way to have multiple IP''s in that destination column. Thanks! Jonathan
On Sun, 11 May 2003 18:31:52 -0500, Jonathan Portwood <jportwood@houston.rr.com> wrote:> I was just wondering if it could be > done. Just a curiosity mainly - just wondering how I could really come > up > with a way to have multiple IP''s in that destination column.What you want to do with Netfilter is: if not (A OR B) then R endif This requires a jump to separate user chain where A and B both trigger RETURNs and R is the last rule in the chain. Shorewall isn''t smart enough to do that except in one case that doesn''t apply here. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net