--On Friday, November 08, 2002 3:11 PM +0000 Daniel McAllansmith <daniel@spinsoftware.co.nz> wrote:> Hello, > > I''m not certain that my problem is caused by my shorewall config, but at > the very least someone can, hopefully, tell me my problem lies elsewhere. > > I''m running shorewall on my firewall. The firewall has three nics, eth0 > is the internal net, eth1 is the external net and eth2 is the dmz. > In the dmz there is a server (192.168.1.2) running squid in transparent > proxy mode on port 3128. > > My shorewall rules include: ># ># Let hosts on the local network use squid as a proxy. ># > ACCEPT loc dmz tcp 3128 > > With that rule browsers can successful use squid by setting their proxy. > > If I remove that rule and use the following: ># ># All www requests by the local, dmz and firewall subnets should be ># redirected through squid running on the server in the dmz. The exception ># being that any request to the www server in the dmz goes straight to it. ># > DNAT loc dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1 > DNAT dmz dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1 > DNAT fw dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1 > ACCEPT fw dmz:192.168.1.2 tcp 3128 > > then browsers get the ''access denied'' error page from squid. > I beleive I have squid correctly configured, i.e. > httpd_accel_host virtual > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > and > http_access allow all as the first http_access line > > > I''m a little suspicious of my shorewall rules because I translated them > from these recommendations: > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j > DNAT --to squid-box:3128 > > iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j > SNAT --to iptables-box > > iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp > --dport 3128 -j ACCEPT > > and I''m as good at iptables syntax as I am at running sub-four-minute > miles. > > Also when I have both sets of rules defined browsers get the ''access > denied'' error whether using squid transparently or explicitly. I would > have thought that would till work? > > Do the rules look right for my situation?No. Section 15.5 of the Linux Advanced Routing and Traffic Control HOWTO describes in detail how to set this up. The "Packet Marking" step described in the HOWTO can be replaced by an entry in the /etc/shorewall/tcrules file (be sure to enable traffic control in /etc/shorewall/shorewall.conf): 2 eth0 0.0.0.0/0 tcp 80 There is a link to the LARTC site from the Shorewall "Useful Links" page. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Saturday, November 09, 2002 2:44 AM +0000 Daniel McAllansmith <daniel@spinsoftware.co.nz> wrote:> On Fri, 08 Nov 2002 05:46, Tom Eastep wrote: >> --On Friday, November 08, 2002 3:11 PM +0000 Daniel McAllansmith >> >> <daniel@spinsoftware.co.nz> wrote: > [snip] > >> > Do the rules look right for my situation? >> >> No. Section 15.5 of the Linux Advanced Routing and Traffic Control HOWTO >> describes in detail how to set this up. >> >> The "Packet Marking" step described in the HOWTO can be replaced by an >> entry in the /etc/shorewall/tcrules file (be sure to enable traffic >> control in /etc/shorewall/shorewall.conf): >> >> 2 eth0 0.0.0.0/0 tcp 80 >> >> There is a link to the LARTC site from the Shorewall "Useful Links" page. >> >> -Tom > > Ok, if I understand correctly each packet which should go through squid > rather than straight to a webserver needs to be marked. > So I set > > TC_Enabled Yes > > and add > > 2 loc 0.0.0.0/0 tcp 80Better read the definition of column 2 again (and I should add an edit). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Daniel McAllansmith
2002-Nov-08 15:11 UTC
[Shorewall-users] Accessing transparent squid proxy
Hello, I''m not certain that my problem is caused by my shorewall config, but at the very least someone can, hopefully, tell me my problem lies elsewhere. I''m running shorewall on my firewall. The firewall has three nics, eth0 is the internal net, eth1 is the external net and eth2 is the dmz. In the dmz there is a server (192.168.1.2) running squid in transparent proxy mode on port 3128. My shorewall rules include: # # Let hosts on the local network use squid as a proxy. # ACCEPT loc dmz tcp 3128 With that rule browsers can successful use squid by setting their proxy. If I remove that rule and use the following: # # All www requests by the local, dmz and firewall subnets should be # redirected through squid running on the server in the dmz. The exception # being that any request to the www server in the dmz goes straight to it. # DNAT loc dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1 DNAT dmz dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1 DNAT fw dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1 ACCEPT fw dmz:192.168.1.2 tcp 3128 then browsers get the ''access denied'' error page from squid. I beleive I have squid correctly configured, i.e. httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on and http_access allow all as the first http_access line I''m a little suspicious of my shorewall rules because I translated them from these recommendations: iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128 iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT and I''m as good at iptables syntax as I am at running sub-four-minute miles. Also when I have both sets of rules defined browsers get the ''access denied'' error whether using squid transparently or explicitly. I would have thought that would till work? Do the rules look right for my situation? Thanks Daniel
Daniel McAllansmith
2002-Nov-09 02:44 UTC
[Shorewall-users] Accessing transparent squid proxy
On Fri, 08 Nov 2002 05:46, Tom Eastep wrote:> --On Friday, November 08, 2002 3:11 PM +0000 Daniel McAllansmith > > <daniel@spinsoftware.co.nz> wrote:[snip]> > Do the rules look right for my situation? > > No. Section 15.5 of the Linux Advanced Routing and Traffic Control HOWTO > describes in detail how to set this up. > > The "Packet Marking" step described in the HOWTO can be replaced by an > entry in the /etc/shorewall/tcrules file (be sure to enable traffic control > in /etc/shorewall/shorewall.conf): > > 2 eth0 0.0.0.0/0 tcp 80 > > There is a link to the LARTC site from the Shorewall "Useful Links" page. > > -TomOk, if I understand correctly each packet which should go through squid rather than straight to a webserver needs to be marked. So I set TC_Enabled Yes and add 2 loc 0.0.0.0/0 tcp 80 to tcrules. Now each marked packet needs to be routed to the squid machine rather than it''s original destination, so I add 2 www.out to rt_tables and ip rule add fwmark 2 table www.out ip route add default via 192.168.1.2 dev eth2 table www.out ip route flush cache to tcstart. And set squid up to listen on port 80 so a redirect to 3128 is not needed. If I list the rules and show the routes it looks like everything has been entered properly but I get no activity in either the shorewall/kernel logs or in squids logs, and http requests go through to the external site. How do I go about logging what the firewall is actually doing when these request are made? What have I messed up? Thanks a lot Daniel
--On Saturday, November 09, 2002 12:29:34 PM +0000 Daniel McAllansmith <daniel@spinsoftware.co.nz> wrote:> > I take it you''re referring to not being able to use loc? Ok, I tried > with eth0, it seems to be doing something at least, seeing as http > requests no longer succeed, but still nothing in the logs. > I''m stumped, what am I doing wrong?I never saw where you set up the second routing table but I may have missed it in your string of posts. -Tom PS -- I''ve never set this up & you can read the LARTC as well as I can... -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Daniel McAllansmith
2002-Nov-09 12:29 UTC
[Shorewall-users] Accessing transparent squid proxy
On Fri, 08 Nov 2002 14:29, Tom Eastep wrote:> --On Saturday, November 09, 2002 2:44 AM +0000 Daniel McAllansmith > > <daniel@spinsoftware.co.nz> wrote: > > On Fri, 08 Nov 2002 05:46, Tom Eastep wrote: > >> --On Friday, November 08, 2002 3:11 PM +0000 Daniel McAllansmith > >> > >> <daniel@spinsoftware.co.nz> wrote: > > > > [snip] > > > >> > Do the rules look right for my situation? > >> > >> No. Section 15.5 of the Linux Advanced Routing and Traffic Control HOWTO > >> describes in detail how to set this up. > >> > >> The "Packet Marking" step described in the HOWTO can be replaced by an > >> entry in the /etc/shorewall/tcrules file (be sure to enable traffic > >> control in /etc/shorewall/shorewall.conf): > >> > >> 2 eth0 0.0.0.0/0 tcp 80 > >> > >> There is a link to the LARTC site from the Shorewall "Useful Links" > >> page. > >> > >> -Tom > > > > Ok, if I understand correctly each packet which should go through squid > > rather than straight to a webserver needs to be marked. > > So I set > > > > TC_Enabled Yes > > > > and add > > > > 2 loc 0.0.0.0/0 tcp 80 > > Better read the definition of column 2 again (and I should add an edit). > > -TomI take it you''re referring to not being able to use loc? Ok, I tried with eth0, it seems to be doing something at least, seeing as http requests no longer succeed, but still nothing in the logs. I''m stumped, what am I doing wrong? Daniel