Shorewall users - May 2002 - Redirect loc::80 to fw::3128 not work

The rule:

    ACCEPT          loc       $FW::3128     tcp     www

doesn''t work propertly, the http access does not redirect
to squid but directly exit.

what''s wrong?

Thanks

-------
Dario Lesca (d.lesca@ivrea.osra.it)

--------------------------------------
@@@@@@@ this is my shorewall-1.2.13 config:

#[/etc/shorewall/common.def]-----------------------------------------------
run_iptables -A common -p icmp -j icmpdef
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A common -p udp --dport 137:139     -j REJECT
run_iptables -A common -p udp --dport 445         -j REJECT
run_iptables -A common -p tcp --dport 135         -j reject
run_iptables -A common -p udp --dport 1900        -j DROP
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4     -j DROP

#[/etc/shorewall/interfaces]-----------------------------------------------
net     eth0            detect          noping,norfc1918
loc     eth1            detect          routestopped

#[/etc/shorewall/masq]-----------------------------------------------
eth0            10.1.65.0/24

#[/etc/shorewall/policy]-----------------------------------------------
loc             net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

#[/etc/shorewall/rules]-----------------------------------------------
ACCEPT          loc       $FW::3128     tcp     www
ACCEPT          loc       $FW           tcp     ssh
ACCEPT          net       $FW           tcp     ssh,auth
ACCEPT          $FW       net           udp     ntp

#[/etc/shorewall/shorewall.conf]--------------------------------------------
---
FW=fw
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
ALLOWRELATED="yes"
MODULESDIR=""
LOGRATE="1/minute"
LOGBURST="5"
LOGUNCLEAN=info
LOGFILE="/var/log/messages"
NAT_ENABLED="Yes"
MANGLE_ENABLED="Yes"
IP_FORWARDING="On"
ADD_IP_ALIASES="Yes"
ADD_SNAT_ALIASES="No"
TC_ENABLED="No"
BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVELCLAMPMSS="Yes"
ROUTE_FILTER="Yes"
NAT_BEFORE_RULES="Yes"

#[/etc/shorewall/start]-----------------------------------------------
run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j DROP

#[/etc/shorewall/zones]-----------------------------------------------
net     Net             Internet Blixer
loc     Local           Rete Locale Ivrea
dmz     DMZ             Demilitarized zone


@@@@@@@ this is a portions of debug of shorewall script ...

+ iptables -A loc2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
+ eval loc2fw_exists=Yes
++ loc2fw_exists=Yes
+ ''['' www = none -o www = None -o '''' = none
-o '''' = None -o '''' = none -o
''''
= No
ne -o '''' = none -o '''' = None
'']''
++ separate_list -
++ echo -
++ sed ''s/,/ /g''
++ separate_list -
++ echo -
++ sed ''s/,/ /g''
++ separate_list www
++ echo www
++ sed ''s/,/ /g''
++ separate_list -
++ echo -
++ sed ''s/,/ /g''
+ add_a_rule
+ cli+ ''['' -n - '']''
+ dest_interface+ ''['' -n - '']''
+ serv+ sports+ dports+ state=-m state --state NEW
+ proto=tcp
+ addr+ servport=3128
+ ''['' -n www '']''
+ ''['' xwww ''!='' x- '']''
+ dports=--dport www
+ ''['' -n - '']''
+ ''['' x- ''!='' x- '']''
+ proto=-p tcp
+ ''['' ACCEPT = REJECT '']''
+ ''['' -z ''-p tcp'' -a -z ''''
-a -z '''' -a -z 3128 '']''
+ ''['' -n 3128 '']''
+ ''['' -n '''' -a ''''
''!='' '''' '']''
+ serv+ ''['' -n '''' '']''
+ run_iptables -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT
++ echo -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT
++ sed ''s/!/! /g''
+ iptables -A loc2fw -p tcp -m state --state NEW --dport www -j ACCEPT
+ echo ''   Rule "ACCEPT loc fw::3128 tcp www"
added.''
   Rule "ACCEPT loc fw::3128 tcp www" added.
+ read target clients servers protocol ports cports address

On Tue, 14 May 2002, Dario Lesca wrote:
> The rule:
> 
>     ACCEPT          loc       $FW::3128     tcp     www
> 
> doesn''t work propertly, the http access does not redirect
> to squid but directly exit.
> 
> what''s wrong?
>
Look at your rule -- look at the example in the documentation. See any 
differences? 

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>

> On Tue, 14 May 2002, Dario Lesca wrote:
> 
> > The rule:
> > 
> >     ACCEPT          loc       $FW::3128     tcp     www
> > 
> > doesn''t work propertly, the http access does not redirect
> > to squid but directly exit.
> > 
> > what''s wrong?
> >
> 
> Look at your rule -- look at the example in the documentation. See any 
> differences? 
yes .... this is the correct rule :

ACCEPT          loc       fw::3128      tcp     www    -    all

... now all work fine!

sorry for my stupid question :-((

they have been betrayed from the field "!192.168.2.2", that I have
removed,
in the old example in SERVER column there is "all" ...

An other small question: when it is useful to put "!ip" in SERVER
column?

Many thanks for your reply

-------
Dario Lesca (d.lesca@ivrea.osra.it)

On Tue, 14 May 2002, Dario Lesca wrote:
> 
> they have been betrayed from the field "!192.168.2.2", that I
have removed,
> in the old example in SERVER column there is "all" ...
> 
> An other small question: when it is useful to put "!ip" in SERVER
column?
>
If you have a local web server that you don''t want to have cached in
the
proxy, you can put !<web server ip> in the ADDRESS (not SERVER) column. 

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

----- Original Message ----- 
From: "Tom Eastep"
<teastep@shorewall.net>
> 
> If you have a local web server that you don''t want to have cached
in the
> proxy, you can put !<web server ip> in the ADDRESS (not SERVER)
column.
> 
Oops! ADDRESS, and not SERVER ... sorry.

many thanks for your fast reply.

-------
Dario Lesca (d.lesca@ivrea.osra.it)