The rule:
ACCEPT loc $FW::3128 tcp www
doesn''t work propertly, the http access does not redirect
to squid but directly exit.
what''s wrong?
Thanks
-------
Dario Lesca (d.lesca@ivrea.osra.it)
--------------------------------------
@@@@@@@ this is my shorewall-1.2.13 config:
#[/etc/shorewall/common.def]-----------------------------------------------
run_iptables -A common -p icmp -j icmpdef
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A common -p udp --dport 137:139 -j REJECT
run_iptables -A common -p udp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 135 -j reject
run_iptables -A common -p udp --dport 1900 -j DROP
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
#[/etc/shorewall/interfaces]-----------------------------------------------
net eth0 detect noping,norfc1918
loc eth1 detect routestopped
#[/etc/shorewall/masq]-----------------------------------------------
eth0 10.1.65.0/24
#[/etc/shorewall/policy]-----------------------------------------------
loc net ACCEPT
net all DROP info
all all REJECT info
#[/etc/shorewall/rules]-----------------------------------------------
ACCEPT loc $FW::3128 tcp www
ACCEPT loc $FW tcp ssh
ACCEPT net $FW tcp ssh,auth
ACCEPT $FW net udp ntp
#[/etc/shorewall/shorewall.conf]--------------------------------------------
---
FW=fw
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
ALLOWRELATED="yes"
MODULESDIR=""
LOGRATE="1/minute"
LOGBURST="5"
LOGUNCLEAN=info
LOGFILE="/var/log/messages"
NAT_ENABLED="Yes"
MANGLE_ENABLED="Yes"
IP_FORWARDING="On"
ADD_IP_ALIASES="Yes"
ADD_SNAT_ALIASES="No"
TC_ENABLED="No"
BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVELCLAMPMSS="Yes"
ROUTE_FILTER="Yes"
NAT_BEFORE_RULES="Yes"
#[/etc/shorewall/start]-----------------------------------------------
run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j DROP
#[/etc/shorewall/zones]-----------------------------------------------
net Net Internet Blixer
loc Local Rete Locale Ivrea
dmz DMZ Demilitarized zone
@@@@@@@ this is a portions of debug of shorewall script ...
+ iptables -A loc2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
+ eval loc2fw_exists=Yes
++ loc2fw_exists=Yes
+ ''['' www = none -o www = None -o '''' = none
-o '''' = None -o '''' = none -o
''''
= No
ne -o '''' = none -o '''' = None
'']''
++ separate_list -
++ echo -
++ sed ''s/,/ /g''
++ separate_list -
++ echo -
++ sed ''s/,/ /g''
++ separate_list www
++ echo www
++ sed ''s/,/ /g''
++ separate_list -
++ echo -
++ sed ''s/,/ /g''
+ add_a_rule
+ cli+ ''['' -n - '']''
+ dest_interface+ ''['' -n - '']''
+ serv+ sports+ dports+ state=-m state --state NEW
+ proto=tcp
+ addr+ servport=3128
+ ''['' -n www '']''
+ ''['' xwww ''!='' x- '']''
+ dports=--dport www
+ ''['' -n - '']''
+ ''['' x- ''!='' x- '']''
+ proto=-p tcp
+ ''['' ACCEPT = REJECT '']''
+ ''['' -z ''-p tcp'' -a -z ''''
-a -z '''' -a -z 3128 '']''
+ ''['' -n 3128 '']''
+ ''['' -n '''' -a ''''
''!='' '''' '']''
+ serv+ ''['' -n '''' '']''
+ run_iptables -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT
++ echo -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT
++ sed ''s/!/! /g''
+ iptables -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT
+ echo '' Rule "ACCEPT loc fw::3128 tcp www"
added.''
Rule "ACCEPT loc fw::3128 tcp www" added.
+ read target clients servers protocol ports cports address