I''m trying to use shorewall with a transparent proxy, but instead of using REDIRECT, my intention is to use TPROXY. According to TPROXY documentation, all you need to do is add some iptables rules and some routing ip rule add fwmark 0x1/0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT # DIVERT chain: mark packets and accept iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT The last rule is for diverting traffic to the proxy: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080 All but the last rule can be done from shorewall''s scripts (start, started...) because they are pretty static. But the last rule would be great to be used from inside shorewall, something like REDIRECT. Can someone point me in the right direction on how to write a macro or anything to make this work "kind of native" in shorewall or does it have to be done by Tom? Thanks Pablo. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Pablo Sebastián Greco wrote:> > The last rule is for diverting traffic to the proxy: > > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080 > > All but the last rule can be done from shorewall''s scripts (start, started...) because they are pretty static. > But the last rule would be great to be used from inside shorewall, something like REDIRECT. > Can someone point me in the right direction on how to write a macro or anything to make this work "kind of native" > in shorewall or does it have to be done by Tom?Shorewall currently doesn''t have the capability to write mangle table rules in Actions (even with an extension script). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Tom Eastep wrote:> Pablo Sebastián Greco wrote: > >> >> The last rule is for diverting traffic to the proxy: >> >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >> --tproxy-mark 0x1/0x1 --on-port 50080 >> >> All but the last rule can be done from shorewall''s scripts (start, >> started...) because they are pretty static. >> But the last rule would be great to be used from inside shorewall, >> something like REDIRECT. >> Can someone point me in the right direction on how to write a macro or >> anything to make this work "kind of native" >> in shorewall or does it have to be done by Tom? > > Shorewall currently doesn''t have the capability to write mangle table > rules in Actions (even with an extension script).If you are using Shorewall-perl, you can use embedded Perl (or shell) in the tcrules file. See http://www.shorewall.net/configuration_file_basics.htm#Embedded. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php