Hello,=09 =09I have a setup where the lan zone, eth0, will be forwarded through a=20 transpanent proxy (dansguardian and squid with squidguard) for web access=2E =20 Now I want a few computers that are part of the lan zone to be free from the=20 time, content restrictions. I tryed making a sub zone called webgp, and=20 adding a rule that alows webgp to wan on 80. I then added these few=20 computers to the webgp zone, But it seems that the rule for the transpanrent=20 proxy is overriding this one and everyone goes through the proxy. Here is=20 some config info: Zones #zone =09display =09=09 comments webgp =09Full_Web_Access=09 Web_Privileged_Zone lan =09LAN =09=09 local_area_network wan =09NET=09=09 internet Policies #client=09server policy =09=09log_level webgp=09wan =09CONTINUE =09info webgp=09fw =09CONTINUE =09info lan=09all =09REJECT =09info fw=09all =09REJECT =09info wan=09all =09REJECT =09info all=09all =09REJECT =09info Interfaces #zone =09interface =09broadcast =09options lan =09eth0 =09=09detect =09=09routestopped wan =09eth1 =09=09detect =09=09dhcp,noping,norfc1918 Hosts #zone =09host =09=09=09options webgp =09eth0:192.155.1.233 webgp =09eth0:192.155.1.248 webgp =09eth0:192.155.1.231 Rules #result=09=09client=09server=09proto=09port=09client_port=09address =2E............snip............... ACCEPT=09webgp=09wan=09tcp=09www=09- ACCEPT=09lan=09fw::3328=09tcp=09www=09-=09=09all ACCEPT=09fw=09wan=09tcp=09www=09- =2E............snip............... It appears that the above rule that forwards that lan traffic to the firewall=20 port 3328 is also forwarding the webgp traffic, and since webpg is a sub zone=20 of lan, I don''t know how to make this work. If someone has any ideas, please=20 let me know. Thanks Joseph
On Mon, 13 May 2002, Joseph T Watson wrote:> > It appears that the above rule that forwards that lan traffic to the firewall > port 3328 is also forwarding the webgp traffic, and since webpg is a sub zone > of lan, I don''t know how to make this work. If someone has any ideas, please > let me know. >Please send me the output from "shorewall status". Thanks, -Tom PS -- it may be a couple of days before I can look at this. -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Monday 13 May 2002 11:46 pm, Tom Eastep wrote:> On Mon, 13 May 2002, Joseph T Watson wrote: > > It appears that the above rule that forwards that lan traffic to the > > firewall port 3328 is also forwarding the webgp traffic, and since webpg > > is a sub zone of lan, I don''t know how to make this work. If someone has > > any ideas, please let me know. > > Please send me the output from "shorewall status". > > Thanks, > -Tom > > PS -- it may be a couple of days before I can look at this.I will send it to you tomorrow when I have access to the machine, but I have=20 some further thoughts. Here is how I think the chains are traversed --->PRE------>[ROUTE]--->FWD---------->POST------> Conntrack | Filter ^ NAT (Src) Mangle | | Conntrack NAT (Dst) | [ROUTE] (QDisc) v | IN Filter OUT Conntrack | Conntrack ^ Mangle | | NAT (Dst) v | Filter =46rom this you can see that the port forwarding is done first thing in the PREROUTING=20 table. Now here is my PREROUTING table.... Chain PREROUTING (policy ACCEPT 8982 packets, 744K bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3328 I can see that there is no way to distinguish between a webgp host and a lan host because=20 webgp is a subset of lan and this is why all my packets are being forwarded to 3328. =20 Would something like the following work?? Chain PREROUTING (policy ACCEPT 8982 packets, 744K bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- eth0 * 192.155.1.233 0.0.0.0/0 tcp dpt:80 redir ports 80 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3328 This can be done with the following rule?? ACCEPT webgp fw::80 tcp www - all What do you think?? Thanks Joseph
On Tue, 14 May 2002, Joseph T Watson wrote:> On Monday 13 May 2002 11:46 pm, Tom Eastep wrote: > > Chain PREROUTING (policy ACCEPT 8982 packets, 744K bytes) > pkts bytes target prot opt in out source destination > 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3328 > > I can see that there is no way to distinguish between a webgp host and a lan host because > webgp is a subset of lan and this is why all my packets are being forwarded to 3328. > Would something like the following work?? > > Chain PREROUTING (policy ACCEPT 8982 packets, 744K bytes) > pkts bytes target prot opt in out source destination > 0 0 REDIRECT tcp -- eth0 * 192.155.1.233 0.0.0.0/0 tcp dpt:80 redir ports 80 > 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3328 > > This can be done with the following rule?? > > ACCEPT webgp fw::80 tcp www - all >No -- I realized after I went to bed last night that we had seen this problem before and that it is exactly as you describe. The solution the last time was to configure Squid to simply pass through requests from those hosts who are awarded direct internet access. A search of the archives for "Squid" should turn up the old thread. If there is just the single host that you want to allow direct web access, you can write your redirect rule as: ACCEPT loc:!192.155.1.233 fw::3328 tcp 80 - all Otherwise, you will need to configure your proxy as mentioned above. Fixing this in the general case will take a major rethink of the code that handles the ''nat'' table and won''t occur before version 1.3. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net